British educational software company Pearson settled charges with the U.S. Securities and Exchange Commission for $1 million over it “misleading” handling of a 2018 data breach, the SEC announced Monday.
The SEC based its charges on a July, 2019 disclosure to the agency that a hypothetical “data privacy incident” could “result in a major data privacy or confidentiality breach” when the company had in fact already been breached and known about it for months, among other statements.
In its public response to the incident, which involved the theft of student information and administrator log-in accounts for 13,000 district, school and university customer accounts, Pearson also left out details about the extent of the stolen information, the SEC said.
Pearson claimed to have “strict protections” in place even though it had left a critical vulnerability unpatched for six months that the hackers exploited, along with other poor security practices cited by the SEC. It also failed to disclose that millions of rows of student data were involved in the incident.
It’s the second SEC settlement over a major data security issue in recent months, and a stiffer penalty than the nearly $500,000 it imposed on First American Financial over its exposure of more than 800 million document images. The Pearson incident raised questions about the protection of student privacy.
Last year, the Justice Department alleged that two suspected Chinese government-backed hackers, Li Xiaoyu and Dong Jiazhi, stole data from a host of U.S. targets in the medical and defense industry, but also from “an education company.” Pearson said it was that unnamed victim.
Pearson said it was “pleased” to resolve the issue with the SEC, and that the breached software, AIMSweb1.0, has been retired. It also said it appreciated the work of the FBI and DOJ to identify and charge the culprits.
“Protecting our customers’ information is of critical importance to us,” said a spokesperson, Tom Steiner. “Pearson continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.”
A judge last year dismissed a lawsuit against Pearson over the breach, saying the plaintiffs lacked standing.