Pearsons fined $1 million by SEC for covering up 2019 data breach

Pearsons fined $1 million by SEC for covering up 2019 data breach

Pearsons fined $1 million by SEC for covering up 2019 data breach

British publishing and education company Pearson has paid $1 million to the US Securities and Exchange Commission (SEC) to settle charges of misleading investors about a data breach it suffered in 2018.

The settlement was reached after SEC found glaring errors in how Pearson handled the security incident and communicated it to its investors, often using misleading statements to cover up the true impact of the breach.

According to SEC, the data breach occurred after hackers infiltrated the company’s network and stole millions of student records, including students’ dates of birth and email addresses. The hackers also stole student data and administrator log-in credentials of 13,000 school, district, and university customer accounts.

However, instead of disclosing the full details of the security breach, Pearson misled investors by terming a data privacy incident as a hypothetical risk. The company later admitted to suffering a breach in a media statement issued in 2019 but said that the breach may include dates of births and email addresses when it knew for a fact that such data records were indeed stolen.

SEC also found that Pearson claimed to have strict protections in place to prevent security incidents from occurring when the truth was that the company failed to patch the critical vulnerability for six months after it was notified. The company also failed to mention in its media statement that millions of rows of student data and usernames and hashed passwords were stolen by hackers.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

According to the order published by SEC, hackers targeted AIMSweb 1.0, a web-based software used by Pearson for entering and tracking students’ academic performance, by exploiting a critical vulnerability in the software that went unpatched for months. It was finally patched after Pearson learned about the security incident on March 21, 2019.

“Although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings,” the regulator said.

Also Read: fined €475,000 over delay in reporting a breach

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”” /]