The educational-publishing firm did not admit nor deny the regulator's charges, the SEC said, but in 2019 the firm disclosed in its annual report that the data breach may have included birth dates and email addresses, when, in fact, it knew that such records were stolen.
Pearson also said at the time that it had "strict protections" in place, but failed to patch the critical vulnerability for six months after it was notified, the SEC found.
"Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections," said Kristina Littman, chief of the SEC enforcement division's cyber unit.
"As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents."
Pearson spokesman Tom Steiner said the company's data breach involved a web-based software tool that was retired in July 2019, and that the firm "continues to enhance its cyber security efforts to minimise the risk of cyberattacks in an ever-changing threat landscape."
It has also agreed to cease and desist from committing violations of cyber-related disclosure provisions in addition to paying the civil penalty, the SEC said.
The top U.S. markets watchdog has brought a handful of other cybersecurity disclosure cases, including its nearly $500,000 fine in 2019 of real estate title insurance company First American and a $35 million settlement in 2018 to resolve allegations that Yahoo didn't tell investors about a data breach.
It also warned companies in a 2018 report on corporations that were victims of cyber fraud that publicly-traded companies must adopt robust internal controls to detect cyber threats.
(Reporting by Tim Ahmann and Katanga JohnsonEditing by Paul Simao)
By Katanga Johnson