Altaba, the company formerly known as Yahoo, agreed to pay the Securities and Exchange Commission a $35 million fine for failing to disclose to investors a massive data breach for two years, the regulator announced Tuesday.
Altaba agreed to pay the fine without admitting nor denying any wrongdoing.
According to the SEC, Yahoo learned of an intrusion by Russian hackers in 2016 just days after it occurred. The incident resulted in the theft of sensitive information and credentials of 500 million users. And while news of the breach circulated within the company, Yahoo didn’t properly investigate the breach or consider whether to inform its investors, the SEC said. News of the incident only became public when Yahoo was in the midst of being acquired by Verizon.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said Jina Choi, director of the SEC’s San Francisco regional office, in a statement. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
The SEC notes that Yahoo could have disclosed its breach in several quarterly filings during the two years between the breach and its public revelation. But the company said that it faced “only the risk of, and negative effects that might flow from, data breaches,” the SEC said.
The regulator said that Yahoo did not have proper procedures in place to make sure that information from its information security team was vetted for potential disclosure.
Sen. Mark Warner, D-Va., the ranking member on the Senate Banking Subcommittee on Securities, Insurance, and Investment, tweeted in vindication, saying that breaches like Yahoo’s can’t be swept “under the rug.”
I’ve been saying for years that Yahoo’s failure to notify customers and investors about its massive data breach didn’t pass the smell test. Holding the company accountable is important, and I hope others will learn you can’t sweep this kind of thing under the rug. https://t.co/vt9WJbVgKz
— Mark Warner (@MarkWarner) April 24, 2018
In February, the SEC issued guidance telling companies to be transparent with investors when it comes to cybersecurity incidents and risks.
Yahoo the web service continues to operate by the same name under Oath, Verizon’s digital media division. Yahoo the corporation became Altaba, a holding company, after the Verizon sale in 2017.