British education giant Pearson fined $1 million for covering up data breach

On August 16, the U.S. Securities and Exchange Commission (SEC) announced that Pearson, a British transnational education publishing services company, had reached a settlement with allegations of improper handling of the disclosure process in the 2018 data breach. Education giant Pearson fined $1 million for downplaying data breach

Pearson failed to promptly disclose violations
The SEC announced that Pearson agreed to pay a $1 million civil penalty to resolve allegations that it "failed to admit or deny the findings of an investigation" and attempted to cover up and downplay a 2018 data breach that resulted in the loss of 13,000 U.S. The school's student and administrator login credentials were leaked.

According to the SEC, in its semiannual review filed in July 2019, Pearson referred to the data breach as a "hypothetical risk" even after the data breach had occurred. In a statement that same month, Pearson claimed that the leaked information may have included dates of birth and email addresses and that, in fact, the company was aware at the time that these records had been stolen.

"As this statement finds, Pearson chose not to disclose this breach to investors until the media had access to the breach, and even then, Pearson undervalued "As public companies face the growing threat of cyber intrusions, they must provide investors with accurate information about major cyber incidents."

Violations were disclosed only after media inquiries
Pearson stated in its communication with the U.S. Securities and Exchange Commission in July 2019 that the company may face the risk of data privacy leaks. Even so, Pearson did not disclose the data breach that occurred a year ago. It submitted the risk factor disclosure to the U.S. Securities and Exchange Commission only after notifying affected customers of the breach.

The U.S. Securities and Exchange Commission explained in a statement released on August 16, “Pearson’s report submitted to the Commission on July 26, 2019, pointed out that the company had the risk of a data breach, but did not disclose that Pearson had actually experienced a data breach. data breach,"

On July 31, 2019, two weeks after Pearson sent breach notifications to affected customers, Pearson released a prepared media statement that contained the number of rows and data types of the compromised data.

According to a press release from the SEC, the education giant failed to patch the AIMS web 1.0 security update for at least six months after receiving it.hackercritical vulnerability, but still said the company had strict "protective measures" to protect its customers' data.