UK-based Pearson Education has been ordered to pay $1m in the US to settle charges it misled investors about a 2018 data breach which resulted in millions of student records being stolen.
The Securities & Exchange Commission (SEC) revealed the settlement after it found Pearson made “misleading statements and omissions” about the incident that involved the theft of student data and administrator log-in credentials of 13,000 school, district, and university customer accounts.
The SEC said Pearson referred to a data privacy incident as a hypothetical risk, despite the fact the breach had already occurred. In a statement published at the time, Pearson said the breach may include dates of birth and email addresses, but it already knew such records were stolen.
The regulator also said Pearson had claimed to have “strict protections” in place, “when, in fact, it failed to patch the critical vulnerability for six months after it was notified”.
SEC Enforcement Division’s Cyber Unit chief Kristina Littman said: “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and, even then, it understated the nature and scope of the incident, and overstated the company’s data protections.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
In a statement, Pearson said: “We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the Justice Department to identify and charge those responsible for a global cyberattack that affected Pearson and many other companies and industries, including at least one government agency.
“Pearson continues to enhance its cybersecurity efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”
Related stories
Spy chief warns of ‘alarming’ increase in ransomware
Blackbaud breach sparks legal threat to UK universities
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Clients demand answers as cloud giant admits breach
Gold diggers: cyber criminals driven by the filthy lucra
Hack attack fears push UK cyber security to over £8bn