Pearson has paid a $1 million settlement to the US Securities and Exchange Commission (SEC) over misleading investors about a 2018 data breach.

The London-educational publisher said in a July 2019 report that the data breach could have included birth dates and email addresses, however Pearson knew these details were compromised according to the SEC’s allegations.

The US regulator said the 2018 attack saw student data and admin login credentials relating to 13,000 school district and university customer accounts comprised.

Pearson first reported the breach as a “hypothetical risk”, however the SEC said Pearson did not patch a critical vulnerability despite being aware of it for six months.

The publisher claimed it had “strict protections” in place in its July 2019 report.

In July, Amazon was fined €746 million by Luxembourg regulators for an alleged violation of GDPR, in what is thought be the largest data-related fine ever.

"Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then, Pearson understated the nature and scope of the incident, and overstated the company's data protections," said Kristina Littman, chief of the SEC enforcement division's cyber unit. "As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents."

“Pearson confirms that it has reached a settlement of an enforcement action with the Securities and Exchange Commission concerning the company’s public disclosures in July 2019 regarding a 2018 data breach in connection with AIMSweb 1.0, a web-based software tool for entering and tracking students’ academic performance that was retired in July 2019 in line with a previously scheduled retirement plan,” said a Pearson spokeperson. “Under the settlement, Pearson has neither admitted nor denied the findings set out in the SEC’s order, including the violations.”

“Pearson will be subject to a cease-and-desist order requiring Pearson not to engage in violations of certain provisions of the federal securities laws and will pay a civil penalty of $1 million.”

They added: “In the order, the SEC acknowledged Pearson’s cooperation with the SEC staff.”

Share Story: