Yahoo! Inc. agreed Tuesday to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.
Yahoo settled with the SEC without admitting or denying the agency’s findings (pdf).
Verizon Communications, Inc. bought Yahoo’s operating business in June 2017. After the acquisition, Yahoo became known as Altaba Inc.
In December 2014, Russian hackers stole what Yahoo’s security team referred to as the company’s “crown jewels” — usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
The security team knew about the intrusion within days.
They reported the breach to members of Yahoo’s senior management and legal department.
Yahoo didn’t share information about the breach with its auditors or outside counsel. So the outside experts couldn’t “assess the company’s disclosure obligations in its public filings,” the SEC said.
Yahoo only disclosed the breach two years later, in 2016, when it was closing the Verizon deal.
The SEC’s Steven Peikin said, “We do not second-guess good faith exercises of judgment about cyber-incident disclosure.”
“But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Peikin said.
Earlier this year the SEC published guidance (pdf) to help public companies prepare disclosures about cybersecurity risks and incidents.
The SEC said Tuesday Yahoo filed several quarterly and annual reports for two years after the breach. But the filings didn’t mention the breach or how it might hurt Yahoo.
“Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches,” the SEC said.
Yahoo also failed to maintain “disclosure controls and procedures” to make sure cyber breaches or the risk of them “were properly and timely assessed for potential disclosure.”
The SEC said its investigation is continuing.
Richard L. Cassin is the publisher and editor of the FCPA Blog.