Pearson, a London-based publishing and education giant that provides software to schools and universities has agreed to pay $1 million to settle charges that it misled investors about a 2018 data breach resulting in the theft of millions of student records.
The U.S. Securities and Exchange Commission announced the settlement on Monday after the agency found that Pearson made “misleading statements and omissions” about its 2018 data breach, which saw millions of student usernames and scrambled passwords stolen, along with the administrator login credentials of 13,000 schools, district and university customer accounts.
The agency said that in Person’s semi-annual review filed in July 2019, the company referred to the incident as a “hypothetical risk,” even after the data breach had happened. Similarly, in a statement that same month, Pearson said the breach may include dates of birth and email addresses, when it knew that such records were stolen, according to the SEC.
Pearson also said that it had “strict protections” in place when it actually took the company six months to patch the vulnerability after it was notified.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident and overstated the company’s data protection,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
While Pearson did not admit wrongdoing as part of the settlement, Pearson agreed to pay a $1 million penalty — a small fraction of the $489 million in pre-tax profits that the company raked in last year.
A Pearson spokesperson told TechCrunch: “We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the Justice Department to identify and charge those responsible for a global cyberattack that affected Pearson and many other companies and industries, including at least one government agency.”
Pearson said the breach related to its AIMSweb1.0 web-based software for entering and tracking students’ academic performance, which it retired in July 2019. “Pearson continues to enhance its cybersecurity efforts to minimize the risk of cyberattacks in an ever-changing threat landscape,” the spokesperson added.