The company logo is displayed outside the Pearson offices in London, Britain August 4, 2017. REUTERS/Neil Hall
WASHINGTON, Aug 16 (Reuters) – London-based Pearson PLC (PSON.L) will pay $1 million to settle charges it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, the U.S. Securities and Exchange Commission (SEC) said on Monday.
The educational-publishing firm did not admit nor deny the regulator’s charges, the SEC said, but in 2019 the firm disclosed in its annual report that the data breach may have included birth dates and email addresses, when, in fact, it knew that such records were stolen.
Pearson also said at the time that it had “strict protections” in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.
“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Pearson spokesman Tom Steiner said the company’s data breach involved a web-based software tool that was retired in July 2019, and that the firm “continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”
It has also agreed to cease and desist from committing violations of cyber-related disclosure provisions in addition to paying the civil penalty, the SEC said.
The top U.S. markets watchdog has brought a handful of other cybersecurity disclosure cases, including its nearly $500,000 fine in 2019 of real estate title insurance company First American and a $35 million settlement in 2018 to resolve allegations that Yahoo didn’t tell investors about a data breach.
It also warned companies in a 2018 report on corporations that were victims of cyber fraud that publicly-traded companies must adopt robust internal controls to detect cyber threats.Reporting by Tim Ahmann and Katanga Johnson Editing by Paul Simao
Our Standards: The Thomson Reuters Trust Principles.
Amazon secured a key early win as a federal judge blocked New York from enforcing…
The Enthuse Foundation has revealed the finalists for its 7th Annual Women Founders Pitch Competition,…
The Marcus Evans 2nd Edition Model Risk Management, Canada conference taking place in Toronto, Canada…
Economists say Shanghai is strengthening its role as China’s reform engine, accelerating innovation and global…
U.S. shoppers are set to spend nearly $80 billion this Black Friday and Cyber Monday,…
Waiken has unveiled a US$450 million investment plan through 2031 to strengthen its entertainment and…