U.K.-based education company Pearson has agreed to pay $1 million as part of a settlement with the Securities and Exchange Commission (SEC) announced Monday for misleading investors regarding a data breach.

Pearson was made aware of a vulnerability affecting one of its software offerings in September 2018 but opted not to patch it until learning of the extent of the breach in March 2019, according to the SEC. The company’s subsequent regulatory filings referenced the possibility of material harm that could be caused by a breach without disclosing one had already occurred.

Pearson was further faulted for including misleading information in notifying the public of the incident.

The details: Pearson’s now-defunct AIMSweb 1.0 software was designed for entering and tracking students’ academic performance. In March 2019, the company was made aware millions of rows of data stored on the server had been accessed by a hacker via the unpatched vulnerability about which the company had been previously alerted, according to the SEC’s order.

The compromised data included school district personnel usernames and passwords, as well as student names. Some student dates of birth and email addresses were also exposed. Despite the extent of the breach, Pearson allegedly opted not to notify the public while a third-party consultant investigated the matter.

In May 2019, Pearson prepared a statement on the breach but still didn’t notify the public, according to the SEC. In a July filing, the company noted the risks a data privacy incident could pose both reputationally and financially, but still did not acknowledge the breach. It was only after being contacted by a media outlet regarding the incident at the end of July that Pearson finally released its drafted statement, which “omitted that millions of rows of student data and usernames and hashed passwords were stolen” among other misleading wording, the SEC noted.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, in a press release. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

Pearson’s stock dropped as a result of the breach disclosure. The SEC’s enforcement contains wording that any private action the company faces from investors regarding the incident shall not include an offset related to the $1 million penalty. Any such offset granted by a court would be paid to the SEC.

Pearson’s cooperation with the SEC was acknowledged in determining the settlement amount. The company neither admitted nor denied the regulator’s findings.