Yahoo is fined tens of millions for failing to disclose data breach
The Securities and Exchange Commission (SEC) said on Tuesday that Yahoo will pay tens of millions of dollars after it failed for two years to disclose to the public a massive data breach.
Yahoo, now known as Altaba after Verizon acquired it, will pay $35 million to settle charges that it misled investors after Russian hackers accessed the account information at least 500 million users in December 2014. That breach is thought to be separate from a 2013 hack, which is now known to have compromised all 3 billion accounts.
The SEC alleges that the company’s information security team knew about the 2014 intrusion, reported it to senior management and the legal department, yet failed to investigate the breach and report it to investors until more than two years later. The company also failed to assess whether the public should have been notified. When Yahoo finally disclosed the breach, the company was being acquired by Verizon.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted,” Steven Peikin, co-director of the SEC enforcement division, said in a press release. “This is clearly such a case.”
Stolen information included usernames, passwords, encrypted passwords, phone numbers and birth dates. Between the time the company learned of the intrusion and when it was reported to the public, the company told investors during quarterly reports that it faced the risk of negative effects that may result from a breach, the SEC said.
This is the first time the SEC has targeted a company over the disclosure process, which has become a focal point for lawmakers and government agencies in the wake of damaging hacks at Yahoo and Equifax. During the latter company’s breach, hackers accessed the personally identifiable information of more than 147 million Americans. Equifax learned about the intrusion at the end of July 2017, but did not tell the public about it until mid-September. A company executive was charged with insider trading for selling stock shortly after it is alleged that he became aware of the breach, but before it was disclosed.