London-based Pearson, a company specializing in educational publishing, has agreed to a $1 million settlement with the SEC over a data breach.

Pearson suffered a data breach in 2018 that resulted in the theft of millions of student records. Unfortunately, the company misled investors, and continued to do so well into 2019, referring “to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred.”

Pearson’s statements continued to gloss over what really happened as late as July 2019. In addition, the company claimed to have “strict protections,” even though the security vulnerability remained unpatched six months after Pearson became aware of it.

The company has agreed to settle with the SEC for $1 million as a result of the violations.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”