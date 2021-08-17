

LONDON (dpa-AFX) - British publishing and education company Pearson plc (PSO, PSON.L) agreed with the U.S. Securities and Exchange Commission or SEC to pay $1 million to settle charges for misleading investors about cyber breach.



According to the regulator, the company misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.



Without admitting or denying the SEC's findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay the civil penalty.



In 2018, student data and administrator log-in credentials of 13,000 school, district and university customer accounts were hacked. In a statement, the SEC said its investigation revealed that Pearson did not reveal that breach accurately in public statements, and that it made misleading statements and omissions about the 2018 data breach.



The SEC noted that Pearson, in its semi-annual report filed in July 2019, referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred.



In a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had 'strict protections' in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified.



The media statement also omitted that hackers had stolen millions of rows of student data and usernames and hashed passwords.



The SEC order also finds that Pearson's disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.



