The SEC charged Pearson with misleading investors over the existence and extent of the breach, in which millions of student records were stolen. The SEC found Pearson in its 2019 semiannual report referred to a data security incident as a hypothetical risk when it knew one had occurred, didn’t accurately describe the extent of the breach in media statements and failed for six months to patch the software vulnerability hackers exploited after being notified a patch was available.

