The company logo is displayed outside the Pearson offices in London, Britain August 4, 2017. REUTERS/Neil Hall
WASHINGTON, Aug 16 (Reuters) – London-based Pearson PLC (PSON.L) will pay $1 million to settle charges it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, the U.S. Securities and Exchange Commission (SEC) said on Monday.
The educational-publishing firm did not admit nor deny the regulator’s charges, the SEC said, but in 2019 the firm disclosed in its annual report that the data breach may have included birth dates and email addresses, when, in fact, it knew that such records were stolen.
Pearson also said at the time that it had “strict protections” in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.
“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Pearson spokesman Tom Steiner said the company’s data breach involved a web-based software tool that was retired in July 2019, and that the firm “continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”
It has also agreed to cease and desist from committing violations of cyber-related disclosure provisions in addition to paying the civil penalty, the SEC said.
The top U.S. markets watchdog has brought a handful of other cybersecurity disclosure cases, including its nearly $500,000 fine in 2019 of real estate title insurance company First American and a $35 million settlement in 2018 to resolve allegations that Yahoo didn’t tell investors about a data breach.
It also warned companies in a 2018 report on corporations that were victims of cyber fraud that publicly-traded companies must adopt robust internal controls to detect cyber threats.Reporting by Tim Ahmann and Katanga Johnson Editing by Paul Simao
Our Standards: The Thomson Reuters Trust Principles.
Century Tower completes handovers two months ahead of schedule in Business Bay as wider delay…
Keturah founder pinpoints critical shifts that will transform the property landscape in 2026 Dubai, UAE,…
South Asia’s definitive thought leadership dialogue, The Times Group’s ET NOW Global Business Summit 2026…
M&D has appointed industry veteran Tom Rizzi as Chief Executive Officer effective January 1, 2026
A striking new architectural landmark has entered the luxury market at 1140 Summit Drive in…
Three Group Solutions has completed the deployment of a private 5G network across key Hutchison…