SEC Fines Pearson For Misleading Investors

Pearson has agreed to pay US$1 million to settle charges from US securities regulators that it knowingly misled investors and downplayed the severity of a 2018 cyber attack that exposed the personal information of millions of students, reported The Financial Times.

The Securities and Exchange Commission (SEC) stated that the UK educational publishing company reported the breach as “hypothetical risk” in its semi-annual report in 2019 when it had “already occurred” in 2018. 

It added that Pearson claimed the breach of 13,000 school, district, and university customer accounts “may” have included dates of birth and email addresses when in fact it knew that this was the case. It also failed to state that millions of rows of student data, usernames and hashed passwords were stolen. 

The FTSE 100 group claimed to have “strict protections” in place for its systems, but had failed to patch the critical vulnerability that hackers used to get into its systems until six months after it was notified, the Commission stated. The SEC also criticized Pearson’s internal processes for handling disclosure as lacking.  “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit. 

“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.