Pearson plc (PSO+0.0%) agrees to pay $1M to settle charges that it misled investors about a 2018 cyber attack.
The Securities and Exchange Commission found that Pearson made misleading statements about the data breach that involved the theft of millions of student records and personal information. In the company's July 2019 semi-annual report the company called the data privacy incident a hypothetical risk, when the breach had already occurred.
Pearson also said that it had "strict protections" in place when it actually took the company six months to patch the vulnerability after it was notified.
"As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections," said the SEC's Enforcement Division Cyber Chief Kristina Littman.