London-based publishing and education company Pearson has paid $1 million to settle charges brought by the US Securities and Exchange Commission that it misled investors about a data breach in 2018 resulting in the theft of millions of student records.
Pearson was found to have made “misleading statements and omissions” about the breach, which led to millions of student usernames and scrambled passwords being stolen, along with the administrator login credentials of 13,000 schools, district and university customer accounts.
Pearson had failed to acknowledge the breach referring to it as a “hypothetical risk,” in a review and later stating that may have included dates of birth and email addresses, when the company knew that those records had been stolen
The SEC stated: “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections.”
Kristina Littman, chief of the SEC enforcement division’s cyber unit, said: “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Date published: 19 August 2021