(Reuters) -London-based Pearson PLC will pay one million dollars to settle charges that it misled investors about a 2018 online intrusion involving the theft of millions of student records, the US Securities and Exchange Commission said on Monday.
The education publishing company did not acknowledge or deny the regulator's fees, the SEC said, but in 2019 the company revealed in its annual report that the data breach may have included dates of birth and email addresses, when in fact it knew such records were stolen.
Pearson also said at the time that it had "strict protection" in place, but failed to correct the critical vulnerability for six months after it was announced, the SEC found.
"Pearson chose not to disclose this crime to investors until it was contacted by the media, and even then Pearson underestimated the nature and extent of the incident and overestimated the company's data protection," said Kristina Littman, head of the SEC's cyberun t.
" As public companies face the growing threat of cyber intrusion, they must provide accurate information to investors about significant cyber incidents. "
Pearson spokesman Tom Steiner said the company's data breach involved a web-based software tool that retired in July 201
It also warned companies in a 2018 report on companies as victims of cyber fraud that listed companies must adopt robust internal controls to detect cyber threats.