The U.S. Securities and Exchange Commission announced a settlement with Pearson, a company that provides software to schools. The SEC found that Pearson made “misleading statements and omissions” over its 2018 data breach.
Pearson Data Breach
In 2018 a data breach of Pearson’s AIMSweb 1.0 software leaked millions of usernames, passwords, birth dates, and email addresses belonging to students. Administrator login credentials were also affected from over 13,000 schools and universities.
The SEC says that Pearson had referred to the breach as a “hypothetical risk” even after it occurred, as part of its July 2019 semi-annual report to investors. In a media statement around that same time, Pearson said that the breach “may include” birth dates and email addresses, while internally it knew such data had been leaked.
The company further said that it had “strict protections” in place, yet failed to patch the software vulnerability for six months after the breach. Finally, Pearson didn’t mention that “millions of rows of student data and usernames and hashed passwords were stolen.”
Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of SEC provisions and to pay a US$1 million civil penalty.