Security News > 2021 > August > Education giant Pearson fined $1M for downplaying data breach

Pearson agreed to pay a $1 million civil money penalty to settle charges "Without admitting or denying the findings" that it tried to hide and downplay the 2018 data breach that led to the theft of "Student data and administrator log-in credentials of 13,000 school, district and university customer accounts" in the United States.

"As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections," said Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit.

Several days later, Pearson also issued a previously prepared media statement only after a media outlet reached out for details, which tried to downplay the actual extent of the data breach.

"In its July 26, 2019 report furnished to the Commission, Pearson's risk factor disclosure implied that Pearson faced the hypothetical risk that a 'data privacy incident' 'could result in a major data privacy or confidentiality breach' but did not disclose that Pearson had in fact already experienced such a data breach," the SEC explains in the order issued today.

"On July 31, 2019, approximately two weeks after Pearson sent a breach notification to affected customers, in response to an inquiry by a national media outlet, Pearson issued a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved."

According to SEC's press release, Pearson also said it had "Strict protections" to defend its customers' data even though the education giant failed to patch the critical vulnerability that led to the breach at least six months after being alerted that a AIMSweb1.

News URL

https://www.bleepingcomputer.com/news/security/education-giant-pearson-fined-1m-for-downplaying-data-breach/