The Securities and Exchange Commission (SEC) on Monday announced a $1 million fine against Pearson PLC, a London-based educational and publishing company, after finding the company misled investors. In 2018, hackers obtained student and administrator data from 13,000 Pearson accounts. The SEC’s investigation revealed that Pearson did not reveal that breach accurately in public statements.

According to the SEC, “in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred.” In other words, Pearson downplayed the incident as “unauthorized access” and “exposure of data” stating that it had “no evidence that this information has been misused…” Furthermore, Pearson did not fix its cyber security system until six months after the company knew of the breach.

Parents of minors whose data were exposed initiated a class action lawsuit against Pearson in September 2019. However, the US District Court for the Northern District of Illinois ruled that the exposed information did not substantially increase the minors’ risk of identity theft and dismissed the case.

The SEC order found that Pearson violated §§ 17(a)(2) and 17(a)(3) of the Securities Act of 1933, § 13(a) of the Securities Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 promulgated under those Acts. Pearson agreed to cease and desist from committing further violations of these provisions and pay the $1 million fine without admitting or denying the SEC’s findings. The fine is due within 10 days of the order.