The U.S. Securities and Exchange Commission announced a settlement with Pearson, a company that provides software to schools. The SEC found that Pearson made āmisleading statements and omissionsā over its 2018 data breach.
Pearson Data Breach
In 2018 a data breach of Pearsonās AIMSweb 1.0 software leaked millions of usernames, passwords, birth dates, and email addresses belonging to students. Administrator login credentials were also affected from over 13,000 schools and universities.
The SEC says that Pearson had referred to the breach as a āhypothetical riskā even after it occurred, as part of its July 2019 semi-annual report to investors. In a media statement around that same time, Pearson said that the breach āmay includeā birth dates and email addresses, while internally itĀ knew such data had been leaked.
The company further said that it had āstrict protectionsā in place, yet failed to patch the software vulnerability for six months after the breach. Finally, Pearson didnāt mention that āmillions of rows of student data and usernames and hashed passwords were stolen.ā
Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of SEC provisions and to pay a US$1 million civil penalty.
