London-based education giant Pearson has agreed to pay a $1 million fine from the U.S. Securities and Exchange Commission after being found to mislead investors regarding the impact of a 2018 data breach, which resulted in the theft of millions of student usernames and passwords, as well as 13,000 school, district and university administrator credentials, reports TechCrunch. Pearson said in a semi-annual review issued in July 2019 that the breach was only a "hypothetical risk," and said the same month that the incident may have only compromised data, even though it had knowledge about the data theft, according to the SEC. Pearson was also found to have only patched the flaw six months after being notified even though it said earlier that it had "strict protections." "As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections," said SEC Enforcement Division Cyber Unit Chief Kristina Littman.