On August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

The SEC’s order alleges that on March 21, 2019, Pearson learned of a 2018 cyber intrusion that affected data stored on the server for one of its web-based software products. The server was accessed and downloaded by a “sophisticated threat actor” taking advantage of an unpatched vulnerability on the server. In September 2018, the software manufacturer put Pearson on notice of the vulnerability, but the SEC’s order alleges that Pearson did not patch the vulnerability until after it learned of the attack in March 2019 even though a patch was available in September 2018. On March 21, 2019, Pearson received a copy of the stolen data showing that all school district personnel usernames and passwords and 11.5 million rows of student data had been exfiltrated, which included students’ birth dates and email addresses. In July of 2019, Pearson mailed a breach notice to all of its customer accounts whose data was exfiltrated but did not inform them that their usernames and passwords had been exfiltrated.

The SEC’s order found that, in its semi-annual report filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when the 2018 cyber intrusion had already occurred. Further, in a July 2019 media statement, Pearson stated that the breach may have included birth dates and email addresses, when Pearson knew that birth dates and email addresses were in fact stolen. Pearson’s media statement also said that Pearson had “strict protections” in place, when it had failed to patch the vulnerability after it was notified by the software manufacturer. The SEC’s order also alleged that the media statement omitted the fact that millions of rows of student data were breached.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

The SEC’s order found that Pearson violated the antifraud provisions of Sections 17(a)(2) and17(a)(3) of the Securities Act of 1933; the reporting provisions of Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20 and 13a-16 thereunder; and the disclosure controls provisions of Rule 13a-15(a). The SEC accepted Pearson’s settlement offer, which included a cease-and-desist order and a $1 million civil monetary penalty.

This case reflects the SEC’s position that personnel responsible for information technology and information security should be in regular communication with their colleagues overseeing financial reporting and SEC disclosure to ensure the accuracy of SEC reports with respect to cybersecurity.