Pearson settles $1mn SEC action over cyber-attack disclosures
London-based Pearson has agreed to pay $1mn to settle SEC charges that it misled investors about a 2018 cyber-attack involving the theft of student records and had inadequate disclosure controls and procedures.
Pearson provides educational publishing and other services to schools and universities. According to the SEC’s filing in the administrative proceeding, the company made material misstatements and omissions regarding the cyber-intrusion, which affected several million rows of student data across 13,000 school, district and university AIMSweb 1.0 customer accounts in the US. AIMSweb 1.0 is web-based software for entering and tracking students’ academic performance.
The SEC states that Pearson learned about the intrusion on March 21, 2019. The attacker used an unpatched vulnerability on a server, a vulnerability had been publicized by the software manufacturer as critical in September 2018, according to the agency. Although the patch for this vulnerability was available and Pearson was notified of it in September 2018, the company did not implement the patch until March 2019 after it learned of the attack, according to the SEC.
The regulator says that in a July 26, 2019 report filed with the agency, Pearson’s risk factor disclosure implied that the company faced the hypothetical risk that a ‘data privacy incident’ ‘could result in a major data privacy or confidentiality breach’ but did not disclose that it had already experienced such a breach.
The SEC alleges that on July 31, 2019, roughly two weeks after Pearson notified affected customers, it responded to an inquiry from a national media outlet by issuing a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved.
According to agency, the media statement was misleading for reasons including:
- Although Pearson had known for months that the attacker removed several million rows of data from the AIMSweb 1.0 server, rather than just having obtained access to view the data, the statement referred to the incident as ‘unauthorized access’ and ‘expos[ure of] data’
- It characterized the exfiltration of dates of birth and email addresses as hypothetical when it knew that roughly half of the exfiltrated data contained dates of birth and around 290,000 contained email addresses
- It omitted that millions of rows of student data were involved in the breach.
The SEC alleges that Pearson’s processes and procedures around the drafting of its July 26, 2019 Form 6K risk factor disclosures and its July 31, 2019 media statement ‘failed to inform relevant personnel of certain information about the circumstances surrounding the breach.’
It adds: ‘Although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed in this way to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.’
‘As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,’ Kristina Littman, chief of the SEC enforcement division’s cyber unit, says in a statement. ‘As public companies face the growing threat of cyber-intrusions, they must provide accurate information to investors about material cyber-incidents.’
Pearson settled the SEC action without admitting or denying wrongdoing. The agency notes that the company cooperated with its officials.
Pearson says in a statement: ‘We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the [US Department of Justice] to identify and charge those responsible for a global cyber-attack that affected Pearson and many other companies and industries, including at least one government agency.
‘The data breach was in connection with AIMSweb1.0, a web-based software tool for entering and tracking students’ academic performance. The software tool was retired in July 2019 as part of a previously scheduled retirement plan. Protecting our customers’ information is of critical importance to us. Pearson continues to enhance its cyber-security efforts to minimize the risk of cyberattacks in an ever-changing threat landscape.’