According to the SEC, London-based Pearson made misleading statements and omissions to investors about a cyber-attack that involved the theft of millions of student records, including dates of birth and email addresses, as well as administrator login information.
The SEC also said in a statement that it found Pearson had “inadequate disclosure controls and procedures.” In fact, in a semi-annual report from July 2019, Pearson called the risk of a data breach “hypothetical,” even though the 2018 cyber breach had already occurred.
In the same month, Pearson said told some media outlets that the breach may include birth dates and email addresses, even though the company knew that such records had already been stolen, according to the SEC. Pearson further omitted the fact that “millions of rows of student data and usernames and hashed passwords” were stolen in the breach.
At the time, Pearson further claimed it had “strict protections” in place, but the SEC found that it had failed to patch a critical vulnerability for half a year after it was notified of its existence. The company’s disclosure procedures and controls were not adequately designed to handle the breach, nor were they equipped to ensure that those responsible for making disclosure determinations were notified of information about the circumstances surrounding the breach.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
While Pearson did not admit to or deny the SEC’s findings, the company agreed to cease and desist from committing the violations and to pay a $1 million civil penalty.