Firm Pays $1 Million Settlement After Regulator Says It Misled Investors and Victims
When is a data exposure not just a data exposure?
The answer, in the eyes of the U.S. Securities and Exchange Commission, is that if a publicly traded business knows that attackers not only accessed but exfiltrated data, then they need to say so to investors, rather than couching it in unclear language.
SEC: “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
That’s just one takeaway from a Monday order published by the SEC, announcing that Pearson PLC, a London-based education publishing and assessment service, will pay $1 million to settle charges that it misled investors about the severity of a 2018 data breach, failing to inform them of the security breach in a timely manner despite millions of student records covering 13,000 schools, school districts and universities having been exposed. Pearson has also agreed to cease violating multiple SEC statutes.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then, Pearson understated the nature and scope of the incident and overstated the company’s data protections,” says Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
As is typical for SEC orders, businesses that agree to settle neither confirm nor deny any wrongdoing.
“We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the Department of Justice to identify and charge those responsible for a global cyberattack that affected Pearson and many other companies and industries, including at least one government agency,” Pearson tells me in a statement.
“The data breach was in connection with AIMSweb 1.0, a web-based software tool for entering and tracking students’ academic performance,” Pearson adds. “The software tool was retired in July 2019 as part of a previously scheduled retirement plan,” in favor of a newer tool named AIMSweb Plus.
Pearson declined to comment further about the attack.
Chinese Attackers Indicted
The breach traces to an attack campaign for which a federal grand jury last year issued an 11-count indictment against two Chinese citizens: Li Xiaoyu, then 34, and Dong Jiazhi, then 33. Their list of victims includes hundreds of organizations in the U.S. and abroad, including the Department of Energy’s Hanford Site in eastern Washington state. Some of the victims were subjected to attacks over a period of years, DOJ officials said. Both men remain at large (see: DOJ: Chinese Hackers Targeted COVID-19 Vaccine Research).
The attackers typically targeted web server, web application or software collaboration programs to gain initial access to targets, often via known vulnerabilities that those targets had failed to patch, after which they installed software such as China Chopper, a credential-stealing web shell that can also be used to remotely control servers, according to court documents.
“To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents’ names and extensions (e.g., from ‘.rar’ to ‘.jpg’) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks’ ‘recycle bins,'” according to the Justice Department.
FBI Alerted Pearson
Pearson has previously said it first learned it had been breached after the FBI gave it a heads-up in 2019. Learning about a breach from a third party is common, but in such cases, attackers have typically been hanging out in a network for much longer than when an organization self-detects the breach.
“When we were contacted by the FBI … we immediately took action to determine the extent of the breach and to remedy the issue,” Scott Overland, director of media relations for Pearson, told the news site EdWeek in July 2020. “We then notified customers whose data was affected. The student data accessed was limited to first and last name, and in some instances, included date of birth and/or email address.”
Except that wasn’t the full picture, according to the SEC, which says that “usernames and hashed passwords of school personnel were also exfiltrated.” But Pearson failed to warn either victims or investors of that fact, according to the SEC’s order.
In addition, the SEC says the company also initially failed to inform investors about the breach. “In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred,” the SEC notes. “And in a July 2019 media statement, Pearson stated that the breach may include dates of birth and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had ‘strict protections’ in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen.”
Compounding the problem: “Pearson was using a hashing algorithm for password storage that had become outdated,” meaning that an attacker could have cracked the passwords to gain access those accounts. The SEC notes that any users who reused their credentials when moving from the AIMSweb 1.0 to the AIMSweb Plus platform would have been at risk of having their accounts get accessed.
For any organization that wants to avoid paying $1 million to settle an SEC order as a result of misleading investors about a breach, here are five takeaways.
- Keep systems patched: Pearson failed to patch a vulnerability in its server software until after March 2019 – after it had been breached. “The vulnerability had been publicized by the software manufacturer as critical in September 2018 because it allowed an attacker remotely to execute arbitrary code on vulnerable servers,” the SEC says. Pearson allegedly then failed to inform investors it had been breached in a timely manner, or to tell them how.
- Watch for unusual behavior: Attackers successfully stole 11.5 million rows of student data without Pearson detecting it. The company learned about the intrusion from the FBI sometime in 2019.
- Check password hashing algorithms: The SEC notes that victims were at risk because hashed passwords had been stolen. Hashing a password is supposed to generate a hash that can’t be reverse-engineered. But “the school district personnel passwords were scrambled using an algorithm that had become outdated for protecting passwords,” meaning they would have been easy to crack.
- Never mislead victims or investors: The SEC found that after Pearson learned of the full extent of the breach, it continued to issue statements that incorrectly “implied that no ‘major data privacy or confidentiality breach’ had occurred.”
- Maintain proper disclosure controls and procedures: The SEC order says Pearson’s failure traced in part to breach information not being disseminated to the relevant personnel inside the organization. “Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach,” the SEC says.
In summary: Never hide relevant data breach facts from victims or investors.