The US Securities and Exchange Commission (SEC) has imposed a $1m fine on London-based educational publisher Pearson to settle charges that it purposely misled its investors over a 2018 cyber attack that saw millions of student records, including personally identifiable information (PII), compromised.
The incident saw student data and admin login credentials relating to 13,000 school district and university customer accounts stolen, but according to SEC investigators, Pearson referred to a data privacy incident as a “hypothetical risk” in a semi-annual report published July 2019, after the breach had taken place.
In disclosing the breach in July 2019, Pearson also said the breach “may include” dates of birth and email addresses when in fact it already knew the breached records did include this information, and said it had “strict protections” in place when in fact, as the investigators found, it had failed to patch a critical CVE in its systems for six months after disclosure. The SEC also said Pearson’s above-linked media statement omitted to state that millions of data records and hashed passwords had been stolen.
The SEC investigation also found that Pearson’s disclosure controls and procedures had been badly designed and could not ensure that people within the organisation with responsibility for making disclosure determinations had been informed of certain information about the circumstances of the breach.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit.
“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
The order finds Pearson in violation of multiple articles of Section 17 of the US Securities Act of 1933, and Section 13 of the Exchange Act of 1934. The company has agreed to cease and desist from committing violations of these provisions without admitting or denying the investigation’s findings.
A spokesperson for the company said: “Pearson confirms that it has reached a settlement of an enforcement action with the Securities and Exchange Commission concerning the company’s public disclosures in July 2019 regarding a 2018 data breach in connection with AIMSweb 1.0, a web-based software tool for entering and tracking students’ academic performance that was retired in July 2019 in line with a previously scheduled retirement plan.
“Under the settlement, Pearson has neither admitted nor denied the findings set out in the SEC’s order, including the violations. Pearson will be subject to a cease and desist order requiring Pearson not to engage in violations of certain provisions of the federal securities laws and will pay a civil penalty of $1m. In the order, the SEC acknowledged Pearson’s cooperation with the SEC staff.”
Commenting on the fine, Orange Cyberdefense UK product manager Dominic Trott said the incident underlined the importance of transparency in incident disclosure, particularly given that the education sector has been under such intense pressure from malicious actors, including ransomware gangs.
“Only through collaboration and transparency can cyber researchers and technologists begin to turn the tide against cyber criminals intent on wreaking havoc in the sector,” said Trott.
“As Pearson has learned, failure to properly disclose a breach can also be far more damaging to an organisation’s reputation and can incur severe legal penalties, particularly when customer data is involved.
“Breach disclosure processes should form part of an organisation’s blended approach to cyber security, layering a combination of people, process and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.”