The Securities and Exchange Commission today announced that Altaba, formerly known as Yahoo! Inc., agreed to pay a $35 million penalty arising out of a December 2014 data breach that affected hundreds of millions of user accounts.
The SEC found that Yahoo misled investors by failing to report the data breach to the public until well after its occurrence. According to the SEC’s press release, in December 2014 Yahoo learned that Russian hackers had stolen usernames, email addresses, phone numbers, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. While the data breach was subsequently reported to Yahoo senior management and legal department, Yahoo! did not report the breach to the investing public until September 2016, when it announced that information associated with “at least 500 million user accounts” was stolen by a state-sponsored actor. Also, Yahoo failed to disclose the breach in its SEC filings or share the information regarding the breach with its auditors or outside counsel to assess the company’s disclosure obligations.
Jina Choi, Director of the SEC’s San Francisco Regional Office, noted in the press release that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” Steve Peikin, Co-Director of the SEC Enforcement Division, added that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
Verizon Communications acquired Yahoo’s business operations in June 2017 for $4.48 billion. Prior to Yahoo’s data breach announcement, the two companies had announced Verizon’s purchase of Yahoo in July 2016 for a total of $4.83 billion. According to news reports, the $350 million reduction in sale price was the result of the December 2014 data breach as well as another unrelated undisclosed breach in December 2016 that affected over 1 billion user accounts. Yahoo has since changed its name to Altaba Inc. The SEC specified that its investigation was still ongoing; meanwhile, Yahoo still faces massive class action lawsuits relating to the data breach in federal court.
The SEC’s press release can be found here.