Skip to content
Naked Security Naked Security

Yahoo fined $35m for staying quiet about mega breach

The smallest thing about the Yahoo mega-breach is the fine

The US Securities and Exchange Commission (SEC) on Tuesday announced that Altaba – a holding company that swept up Yahoo’s remains after Verizon took over its internet business last year – has agreed to pay a $35 million fine for Yahoo having waited more than two years to tell investors about a breach it knew of as early as December 2014.
Which breach? Good question. The fine pertains to the 2014 breach, in which half a billion accounts were plundered by Russian thieves.
The intruders made off with what Yahoo’s internal security team referred to as the “crown jewels”. The stolen data included usernames, email addresses, phone numbers, birthdates, encrypted passwords (encrypted after a fashion, at any rate, with creaky old MD5 password hashing), and security questions and answers.
At the time, the thinking was… Huh, how come it took two years to uncover this huge breach?


It turns out that Yahoo’s security team had actually discovered the intrusion within days of it happening in December 2014, not two years later. The breach was, in fact, reported to Yahoo’s senior management and legal department.
Be that as it may, Yahoo didn’t properly investigate the breach, and it didn’t give much thought to whether it should be disclosed to investors – until, that is, Verizon came calling, according to the SEC’s order (PDF):

The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc.

Yahoo has neither confirmed nor denied the SEC’s findings.
The fine has nothing to do with the data breach, nor with subpar security practices, nor with Yahoo’s failure to inform users. Rather, the SEC is miffed because huge breaches can have huge financial and legal repercussions. Yahoo even noted that in filings to investors.
Steven Peikin, Co-Director of the SEC Enforcement Division, was quoted in the SEC’s order:

We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.

Jina Choi, Director of the SEC’s San Francisco Regional Office, said that Yahoo’s investors were left “totally in the dark” by the company’s failure to tell them about the breach:

Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.

The SEC noted that earlier this year, it released guidance to help public companies figure out what to disclose about data breaches.
The SEC says its investigation is continuing.


3 Comments

The problem is that the governments position is that it is ‘all about the money’. They in fact don’t give two hoots about the citizens that support them.
To wit, I point out the ‘do not call list’. How is that working out for you?

>> To wit, I point out the ‘do not call list’. How is that working out for you?
Extremely well – ever since I signed up for it when it first became available cold calls from legitimate businesses have dropped to zero. I used to regularly receive calls from real businesses wanting me to buy some product or service from them – now, none.
Robocalls/scam calls are a different story. Since they are breaking the law by calling me in the first place, I immediately know they are crooks and just hang up on them. Of course charities and politicians are exempt from Do-Not-Call, so scammers imitate them – so I hang up on all of them also. Many of them fall into the crooks category anyway.
I love Do-Not-Call… if the phone rings and it isn’t a business or service I do business with I automatically know it is a criminal and I can safely hang up. And the Feds have successfully prosecuted robo-callers, but the real solution is for the phone companies to block them. But they won’t.

I’ve had a good result with the equivalent of “do not call” in both Oz and the UK. More precisely, the number of junk calls I got in both countries dropped off sharply in the three or four weeks after opting out. I assume that was not coincidental in either case. Most of the nuisance callers seem to have been local cold-calling businesses that were close enough to the edge to call aggressively if they knew it was legal, but to back if they knew it wasn’t so as not to risk being drummed out of business. I take that as a modest but commendable reflection on the regulators in both countries – a few “no nonsense” regulatory rulings combined with fines seems to have paid off.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?