The Securities and Exchange Commission announced that educational publishing company Pearson PLC agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records that included dates of births and email addresses, and had inadequate disclosure controls and procedures.
“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit in the release. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.
London-based Pearson has four office locations in Iowa, in Cedar Rapids, Coralville, Iowa City and West Des Moines.