Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Education Giant Pearson Fined $1M for Downplaying Data Breach

Education Giant Pearson Fined $1M for Downplaying Data Breach

The US Securities and Exchange Commission (SEC) announced today that Pearson, a British multinational educational publishing and services company, has settled charges of mishandling the disclosure process for a 2018 data breach discovered in March 2019.

Pearson agreed to pay a $1 million civil money penalty to settle charges “without admitting or denying the findings” that it tried to hide and downplay the 2018 data breach that led to the theft of “student data and administrator log-in credentials of 13,000 school, district and university customer accounts” in the United States.

Besides exfiltrating data including students’ names, dates of birth, and email addresses after exploiting a critical flaw affecting the AIMSweb1.0 web-based software used by Pearson for tracking students’ academic performance, the Chinese hackers also stole millions of rows of student data and easily crackable credentials “scrambled” using an outdated algorithm.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.

“As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

Also Read: A Review of PDPC Undertakings July 2021 Cases

Breach disclosed only after a media inquiry

The company shared with the SEC in July 2019 that it could face the risk of a data privacy incident. Still, it did not disclose that it suffered a data breach one year earlier even though the risk factor disclosure sent to the SEC was filed after notifying affected customers of the incident.

Several days later, Pearson also issued a previously prepared media statement only after a media outlet reached out for details, which tried to downplay the actual extent of the data breach.

“In its July 26, 2019 report furnished to the Commission, Pearson’s risk factor disclosure implied that Pearson faced the hypothetical risk that a ‘data privacy incident’ ‘could result in a major data privacy or confidentiality breach’ but did not disclose that Pearson had in fact already experienced such a data breach,” the SEC explains in the order issued today.

“On July 31, 2019, approximately two weeks after Pearson sent a breach notification to affected customers, in response to an inquiry by a national media outlet, Pearson issued a previously-prepared media statement that also made misstatements about the nature of the breach and the number of rows and type of data involved.”

Also Read: Protecting Data Online in the New Normal

According to SEC’s press release, Pearson also said it had “strict protections” to defend its customers’ data even though the education giant failed to patch the critical vulnerability that led to the breach at least six months after being alerted that a AIMSweb1.0 security update is available.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us