The United States Securities and Exchange Commission has imposed a $35 million fine on Yahoo for failing to disclose a massive 2014 security breach and misleading its investors. This is probably the first ever penalty imposed on a company for failing to properly disclose a cyber breach.
However, it isn’t being levied because the company failed to alert its users or had poor security protections in place. The commission is upset that the company didn’t inform its investors until September 2016 even though the breach happened in 2014.
Related Yahoo Now Says ALL 3 Billion Accounts Were Compromised by the Massive Breach
Fines will be paid by the parts of Yahoo that Verizon didn’t purchase
The announcement said that Altaba, formerly known as Yahoo, has agreed to pay the penalty to settle the charges. Altaba is made up of the parts that Verizon didn’t take. However, Verizon-owned Yahoo could also be facing some liabilities as there are several lawsuits on both the hacks that the company suffered in 2013 and 2014 but failed to disclose.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” Steven Peikin, co-director of the SEC’s division of enforcement, said. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
The SEC’s order finds that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
The Commission’s Jina Choi added that the “public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Today’s announcement appears to only mention the 2014 hack that affected 500 million users. The company had admitted to a second hack later in 2016, revealing that over a billion of its users were affected in a campaign launched by state sponsored actors (the figure was later adjusted to all 3 billion users). While many have demanded fines against the executives, the SEC said it is still investigating and hasn’t made any decision about the conduct of individuals.
In the storystream:
- Canadian Hacker Pleads Guilty to Conspiring with Russian Agents in Massive YahooHack
- Now Says ALL 3 Billion Accounts Were Compromised by the Massive Breach
- DoJ Charges Russian Spies Over YahooHack – Data Was Used to Access Russian Journalists Gov Officials’ Accounts
- Company Admits Staff Was Aware of the “State-Sponsored” Hack in 2014