Education giant Pearson will pay a $1 million fine to settle charges that it misled investors about a 2018 data breach during which millions of student records were stolen.
The U.S. Securities and Exchange Commission announced earlier this month that the London-based, multinational educational publishing and software provider “made misleading statements and omissions” to downplay the Chinese hack, which affected 13,000 school, district, and university customers.
Pearson misrepresented the incident, which had already happened, as a hypothetical risk in its July 2019 semiannual report, the SEC found. Around the same time, the company also said in a media statement that the intrusion may have included dates of birth and email addresses, despite already knowing they were stolen.
The media statement left out millions of rows of student data, usernames, and passwords that were stolen. And Pearson claimed to have “strict protections” in place when in reality it failed to patch the vulnerability for six months, according to the SEC.
“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, in a press release.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Pearson agreed to pay the civil penalty “without admitting or denying the SEC’s findings.”
In an emailed statement, the company told EdWeek Market Brief it is “pleased to resolve this matter with the SEC.”
The only Pearson product targeted by the Chinese hackers starting in November 2018 — the AIMSweb 1.0 software platform — was retired in July 2019 as part of a previously scheduled plan, according to the company. The web-based software was a tool for entering and tracking students’ academic performance.
“Protecting our customers’ information is of critical importance to us,” said Laura Howe, senior vice president of global communications for Pearson, in an emailed statement. “Pearson continues to enhance its cyber security efforts to minimize the risk of cyberattacks in an ever-changing threat landscape.”
The 2018 hack was part of a decade-long, global cyberattack that targeted the intellectual property and confidential business information of companies across a wide variety of industries, including COVID-19 research, according to the Department of Justice.
The federal government indicted two suspects last year, former engineering students in China who allegedly stole hundreds of millions of dollars of trade secrets, intellectual property, and other valuable information, sometimes on behalf of the Chinese government’s Ministry of State Security.
Image by iStock/Getty Images Plus.