The Securities and Exchange Commission (SEC) announced news on Tuesday (April 24) that Altaba, the entity formerly known as Yahoo, has agreed to pay a $35 million penalty to settle charges related to the massive data breach at Yahoo that exposed the personal data of hundreds of millions of users.
In a press release, the SEC said that Altaba agreed to pay the fine to settle charges that it misled investors by failing to announce the data breach, which is one of the largest around the world. Within days of the hack in December 2014, the SEC said Yahoo’s IT team learned that Russian hackers infiltrated the company and stole usernames, email addresses, phone numbers, security questions and encrypted passwords, among other sensitive data.
However, although the Yahoo executive team was alerted to the breach, the SEC found Yahoo failed to investigate it properly and to consider whether or not investors should be notified. The breach wasn’t disclosed to investors until 2016, when Yahoo was closing its deal to sell its internet assets to Verizon Communications.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, co-director of the SEC Enforcement Division in the press release announcing the fine.
Meanwhile, Jina Choi, director of the SEC’s San Francisco Regional Office said in the same press release that Yahoo’s failure to put controls and procedures in place to assess its cyber-breach obligations left investors in the dark about the massive breach.
“Public companies should have controls and procedures in place to properly evaluate cyber-incidents and disclose material information to investors,” Choi said.
The SEC found that Yahoo filed several quarterly and annual reports after learning about the data breach but didn’t disclose them or the potential impact the breach could have to its business as well as the potential legal costs. The SEC also found that Yahoo didn’t share information about the hack with auditors and outside counsel as a way to assess its disclosure obligations as a public company.
Finally, the SEC discovered that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s security team pertaining to cyber-breaches, or the risk of breaches, were properly and timely assessed for potential disclosure.