Pearson to Pay $1M Fine for 2018 Data Breach Misleading Investors

Pearson Settles SEC Charges Over Misleading Investors Regarding 2018 Data Breach

Pearson, a major publishing and education company headquartered in London, has reached an agreement to pay $1 million to resolve allegations of misleading investors. The charges stem from the company’s handling of information surrounding a 2018 data breach.

Details of the SEC Settlement

The U.S. Securities and Exchange Commission (SEC) announced the settlement on Monday. Their investigation revealed that Pearson engaged in “misleading statements and omissions” concerning the 2018 security incident.

This breach involved the theft of millions of student usernames and passwords, which were scrambled. Crucially, the login credentials for approximately 13,000 school, district, and university customer accounts were also compromised.

Downplaying the Severity of the Breach

In a semi-annual review filed in July 2019, Pearson characterized the incident as a “hypothetical risk.” This occurred despite the fact that the data breach had already taken place.

Furthermore, a public statement released by Pearson that same month suggested the stolen data might include dates of birth and email addresses. However, the SEC asserts that Pearson was aware at the time that these records had, in fact, been stolen.

Inadequate Security Measures

Pearson also claimed to have had “strict protections” in place. However, the company required six months to address the vulnerability after being initially notified of it.

SEC's Cyber Unit Emphasizes Transparency

“Pearson opted not to disclose this breach to investors until prompted by media inquiries,” stated Kristina Littman, head of the SEC Enforcement Division’s Cyber Unit. “Even then, the company minimized the incident’s impact and exaggerated its data security measures.”

Littman emphasized the importance of accurate reporting of material cyber incidents by public companies, given the increasing prevalence of cyber threats.

Financial Impact and Pearson's Response

While not admitting any wrongdoing, Pearson has agreed to pay a $1 million penalty. This amount represents a small percentage of the company’s $489 million in pre-tax profits from the previous year.

A Pearson spokesperson communicated to TechCrunch that the company is “pleased to resolve this matter with the SEC.” They also acknowledged the efforts of the FBI and the Justice Department in identifying those responsible for the broader cyberattack.

Breach Details and Ongoing Security Enhancements

The breach specifically affected Pearson’s AIMSweb1.0 software, a web-based platform used for tracking student academic performance. This software was retired in July 2019.

Pearson maintains its commitment to strengthening cybersecurity efforts. The company is actively working to mitigate the risk of future cyberattacks in an evolving threat environment.

The spokesperson added that Pearson “continues to enhance its cybersecurity efforts to minimize the risk of cyberattacks in an ever-changing threat landscape.”