Education material publisher Pearson has agreed with the Securities and Exchange Commission (SEC) in the US to pay $1m (€849,000) to settle charges it misled investors following a cyber intrusion, and had inadequate disclosure controls and procedures.

In the 2018 attack millions of student records, including dates of births and email addresses, as well as administrator log-in credentials of 13,000 school, district and university customer accounts were stolen.

The SEC found that UK-based Pearson made misleading statements and omissions about the intrusion by referring, in a half-year report filed July 2019, to a data privacy incident as a hypothetical risk, when, in fact, one had occurred the year before.

Pearson also stated in an accompanying press release in 2019 it had strict protections in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC said.

Its order also finds that Pearson’s disclosure controls and procedures were not designed to ensure those responsible for making disclosure determinations were informed of some information about the circumstances surrounding the breach.

“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents,” said Kristina Littman, cyber unit chief at the SEC’s enforcement division. 

Without admitting or denying the commission’s findings, Pearson agreed to end committing violations of the Securities and Exchange Acts and pay a civil penalty of $1m.


PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes.