The US Securities and Exchange Commission (SEC) on Tuesday announced that Altaba – a holding company that swept up Yahoo’s remains after Verizon took over its internet business last year – has agreed to pay a $35 million fine for Yahoo having waited more than two years to tell investors about a breach it knew of as early as December 2014.
Which breach? Good question. The fine pertains to the 2014 breach, in which half a billion accounts were plundered by Russian thieves.
The intruders made off with what Yahoo’s internal security team referred to as the “crown jewels”. The stolen data included usernames, email addresses, phone numbers, birthdates, encrypted passwords (encrypted after a fashion, at any rate, with creaky old MD5 password hashing), and security questions and answers.
At the time, the thinking was… Huh, how come it took two years to uncover this huge breach?
It turns out that Yahoo’s security team had actually discovered the intrusion within days of it happening in December 2014, not two years later. The breach was, in fact, reported to Yahoo’s senior management and legal department.
Be that as it may, Yahoo didn’t properly investigate the breach, and it didn’t give much thought to whether it should be disclosed to investors – until, that is, Verizon came calling, according to the SEC’s order (PDF):
The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc.
Yahoo has neither confirmed nor denied the SEC’s findings.
The fine has nothing to do with the data breach, nor with subpar security practices, nor with Yahoo’s failure to inform users. Rather, the SEC is miffed because huge breaches can have huge financial and legal repercussions. Yahoo even noted that in filings to investors.
Steven Peikin, Co-Director of the SEC Enforcement Division, was quoted in the SEC’s order:
We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.
Jina Choi, Director of the SEC’s San Francisco Regional Office, said that Yahoo’s investors were left “totally in the dark” by the company’s failure to tell them about the breach:
Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.
The SEC noted that earlier this year, it released guidance to help public companies figure out what to disclose about data breaches.
The SEC says its investigation is continuing.