WASHINGTON, Aug. 16 - The U.S. Securities and Exchange Commission will pay $1 million to settle charges it misled investors about a cyber intrusion in 2018 involving the theft of millions of student records, University of London said on Monday.
The educational publishing firm did not disclose the SEC's charges nor admit the regulator's charges, but disclosed in its annual report in 2019 that the data breach may have included birth dates and email addresses when, in fact, it knew that such records had been stolen
Pearson also said at the time that it had critical protections in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.
Pearson opted not to disclose this breach to investors until it was contacted by the media and even then Pearson overstated the nature and scope of the incident and understated the company's data protections, said Kristina Littman, head of the corporate cyber unit.
As private companies face the growing threat of cyber intrusion, they must provide accurate information to investors about material cyber incidents.
Pearson spokesman Tom Steiner said the company's data breach involved a web-based software tool which was retired in July 2019 and that the firm continues to implement its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape.
It also agreed to stop and desist from committing cyber-related violations of civil disclosure provisions in addition to paying the civil penalty, said the SEC.
The top U.S. markets watchdog has brought a handful of other cybersecurity disclosure cases, including its nearly $500,000 fine in 2019 to big data firm First American and a $35 million settlement in 2018 to resolve allegations that Yahoo didn't tell investors about data breach.
It also warned companies in a 2018 report that the victims of cyber fraud should adopt robust internal controls to detect cyber threats.