The company logo is displayed outside the Pearson offices in London, Britain August 4, 2017. REUTERS/Neil Hall

WASHINGTON, Aug 16 (Reuters) – London-based Pearson PLC (PSON.L) will pay $1 million to settle charges it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, the U.S. Securities and Exchange Commission (SEC) said on Monday.

The educational-publishing firm did not admit nor deny the regulator’s charges, the SEC said, but in 2019 the firm disclosed in its annual report that the data breach may have included birth dates and email addresses, when, in fact, it knew that such records were stolen.

Pearson also said at the time that it had “strict protections” in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.

“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.

“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

Pearson spokesman Tom Steiner said the company’s data breach involved a web-based software tool that was retired in July 2019, and that the firm “continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”

It has also agreed to cease and desist from committing violations of cyber-related disclosure provisions in addition to paying the civil penalty, the SEC said.

The top U.S. markets watchdog has brought a handful of other cybersecurity disclosure cases, including its nearly $500,000 fine in 2019 of real estate title insurance company First American and a $35 million settlement in 2018 to resolve allegations that Yahoo didn’t tell investors about a data breach.

It also warned companies in a 2018 report on corporations that were victims of cyber fraud that publicly-traded companies must adopt robust internal controls to detect cyber threats.Reporting by Tim Ahmann and Katanga Johnson Editing by Paul Simao

Our Standards: The Thomson Reuters Trust Principles.


You May Also Like

PepsiCo bets on higher soda sales as restaurants reopen

(Reuters) -PepsiCo Inc said on Thursday it expects organic revenue growth to…

Nissan to spend $17.6 bln over 5 years in electrification push

Nissan Motor Co (7201.T) announced it will spend 2 trillion yen ($17.59 billion) over the next five years to accelerate vehicle electrification, aiming to catch up with rivals in one of the fastest growth areas for the automobile industry.

Taiwan to woo backers at APEC for bid to join Pacific trade pact

Taiwan will seek support for its bid to join a trans-Pacific trade pact when it attends a meeting of economic leaders of the Asia-Pacific group APEC next week, President Tsai Ing-wen said on Tuesday.