British publishing and education company Pearson has paid $1 million to the US Securities and Exchange Commission (SEC) to settle charges of misleading investors about a data breach it suffered in 2018.
The settlement was reached after SEC found glaring errors in how Pearson handled the security incident and communicated it to its investors, often using misleading statements to cover up the true impact of the breach.
According to SEC, the data breach occurred after hackers infiltrated the company’s network and stole millions of student records, including students’ dates of birth and email addresses. The hackers also stole student data and administrator log-in credentials of 13,000 school, district, and university customer accounts.
However, instead of disclosing the full details of the security breach, Pearson misled investors by terming a data privacy incident as a hypothetical risk. The company later admitted to suffering a breach in a media statement issued in 2019 but said that the breach may include dates of births and email addresses when it knew for a fact that such data records were indeed stolen.
SEC also found that Pearson claimed to have strict protections in place to prevent security incidents from occurring when the truth was that the company failed to patch the critical vulnerability for six months after it was notified. The company also failed to mention in its media statement that millions of rows of student data and usernames and hashed passwords were stolen by hackers.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
According to the order published by SEC, hackers targeted AIMSweb 1.0, a web-based software used by Pearson for entering and tracking students’ academic performance, by exploiting a critical vulnerability in the software that went unpatched for months. It was finally patched after Pearson learned about the security incident on March 21, 2019.
“Although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings,” the regulator said.