The US Securities and Exchange Commission (SEC) announced today that Pearson, a British multinational educational publishing and services company, has settled charges of mishandling the disclosure process for a 2018 data breach discovered in March 2019.
Pearson agreed to pay a $1 million civil money penalty to settle charges “without admitting or denying the findings” that it tried to hide and downplay the 2018 data breach that led to the theft of “student data and administrator log-in credentials of 13,000 school, district and university customer accounts” in the United States.
Besides exfiltrating data including students’ names, dates of birth, and email addresses after exploiting a critical flaw affecting the AIMSweb1.0 web-based software used by Pearson for tracking students’ academic performance, the Chinese hackers also stole millions of rows of student data and easily crackable credentials “scrambled” using an outdated algorithm.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Breach disclosed only after a media inquiry
The company shared with the SEC in July 2019 that it could face the risk of a data privacy incident. Still, it did not disclose that it suffered a data breach one year earlier even though the risk factor disclosure sent to the SEC was filed after notifying affected customers of the incident.
Several days later, Pearson also issued a previously prepared media statement only after a media outlet reached out for details, which tried to downplay the actual extent of the data breach.
“In its July 26, 2019 report furnished to the Commission, Pearson’s risk factor disclosure implied that Pearson faced the hypothetical risk that a ‘data privacy incident’ ‘could result in a major data privacy or confidentiality breach’ but did not disclose that Pearson had in fact already experienced such a data breach,” the SEC explains in the order issued today.
“On July 31, 2019, approximately two weeks after Pearson sent a breach notification to affected customers, in response to an inquiry by a national media outlet, Pearson issued a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved.”
According to SEC’s press release, Pearson also said it had “strict protections” to defend its customers’ data even though the education giant failed to patch the critical vulnerability that led to the breach at least six months after being alerted that a AIMSweb1.0 security update is available.