Pearson to pay $1m to settle charges it misled investors about data breach
Education publisher Pearson will pay $1m to settle charges that it misled investors about a data breach in 2018 involving the theft of millions of student records, including dates of birth and email addresses.
Pearson said in a brief statement that it has reached a settlement of an enforcement action with the US Securities and Exchange Commission concerning its public disclosures in July 2019. These related to a breach in connection with AIMSweb 1.0, a web-based software tool for entering and tracking students' academic performance.
"Under the settlement, Pearson has neither admitted nor denied the findings set out in the SEC's order, including the violations," it said.
"Pearson will be subject to a cease and desist order requiring Pearson not to engage in violations of certain provisions of the federal securities laws and will pay a civil penalty of $1.0m."
The data breach involved the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. The SEC said in a statement on Monday that Pearson made misleading statements and omissions about the 2018 data breach.
"In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had ‘strict protections’ in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified," the SEC said.
"The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson's disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach."
The SEC also noted that Pearson opted not to disclose the data breach to investors until it was contacted by the media, and even then the company understated the nature and scope of the incident, and overstated its data protections.