Altaba, the holding company formed to carry the remains of Yahoo after it sold its core business to Verizon, has agreed to pay a $35 million fine to the Securities and Exchange Commission for Yahoo’s failure to quickly inform users about several massive breaches.
Hackers stole credentials for all 3 billion Yahoo accounts as well as some personal information in 2013. A separate 2014 incident affected 400 million Yahoo accounts. In the 2014 breach, hackers forged cookies that enabled them to log into targeted accounts without obtaining the passwords.
Yahoo didn’t disclose the breaches until late 2016, after its sale to Verizon was already underway. Verizon ultimately negotiated a $350 million decrease in the acquisition price, due to Yahoo’s poor cybersecurity and incident response.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” Steven Peikin, co-director of the SEC Enforcement Division, said in a statement. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
In quarterly and annual reports Yahoo filed with the SEC between the 2014 breach and the 2016 disclosure, it made no mention of the breach or its potential impact on investors.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said Jina Choi, director of the SEC’s San Francisco Regional Office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”