On Monday, the Securities and Exchange Commission (SEC) reported that London-based educational publisher Pearson plc agreed to resolve charges relating to the disclosure of a 2018 cyber breach that resulted in the theft of millions of student records and personally identifying information like birth dates and email addresses. The SEC explained that the media statement the company made months after the incident paved over its most glaring aspects and an official filing merely referred to the breach as a hypothetical risk.
According to the cease-and-desist order, Pearson, through a subsidiary, offered school district customers a web-based software for entering and tracking students’ academic performance. In March 2019, Pearson reportedly learned that millions of rows of data stored on the relevant server had been accessed and downloaded by a sophisticated threat actor via an unpatched vulnerability. According to the SEC, although Pearson was aware of the flaw in September 2018, a time when a patch was available, the company did not remediate the issue until March 2019, after it learned of the attack.
The order notes that the company declined to issue a public statement about the breach several times, and only on July 31, 2019, after a reporter from a national media outlet contacted Pearson regarding an impending article describing the data breach did the company go public with the information. The media statement, the SEC order says, was misleading for numerous reasons, including that it understated the breadth of the breach and mischaracterized the exfiltration of birth dates and email addresses. The day after Pearson made the information public, the company’s stock price reportedly fell 3.3%.
For the purported Securities Act and Exchange Act of 1934 violations, Pearson will pay the civil penalty and commit to preventing further abuses.
The SEC’s allegations are reminiscent of those brought by Rhode Island against Google’s parent company. In that lawsuit, the Ninth Circuit Court of Appeals sided with the state, finding that in two SEC reporting forms, Alphabet Inc. failed to adequately disclose a cybersecurity vulnerability in its Google+ application. The tech company has appealed the case to the Supreme Court, and the Ninth Circuit has stayed its mandate during the pendency of Alphabet’s petition.