Yahoo Fined $35 Million By SEC Over 2014 Breach
The Securities and Exchange Commission (SEC) has fined Yahoo, now named Altaba, $35 million for misleading investors.
According to the SEC, Yahoo’s security team learned of an intrusion by Russian spies within days of the December 2014 breach. The cybercriminals were able to obtain usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions for hundreds of millions of users.
In its order, the SEC says Yahoo failed to “properly investigate” the incident or notify investors. The breach was not disclosed until 2016 when Yahoo was closing a deal with Verizon.
Jina Choi, Director of the SEC’s San Francisco Regional Office, said, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Yahoo sold much of its business operations to Verizon for a reduced rate of $4.8 billion and renamed their remaining business Altaba. Verizon will not be fined for the breaches, as they did not take control of the company until 2017.
The fine from the SEC is not the only financial repercussions that Altaba may face. Last month, a U.S. district judge ruled victims of Yahoo’s three massive data breaches were free to sue for punitive damages. It is believed all three billion Yahoo users were affected by these breaches.
If Yahoo users want to continue to use their Yahoo account, they will need to accept and agree to the new policies.