Altaba, formerly known as Yahoo, has agreed to pay a $35 million fine to settle charges that it failed to promptly disclose a massive data breach relating to hundreds of millions of user accounts.
The Securities and Exchange Commission (SEC) ruled that the company essentially misled investors because the stock price plunged after the breach was finally revealed.
The SEC found that within days of the breach, Yahoo knew that Russian hackers had broken into the network and made off with usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
The regulator says the information was reported to Yahoo's senior management, but the company failed to properly investigate the circumstances and adequately consider whether the public should be notified.
Delayed for two years
The SEC says Yahoo waited two years, until it was in the process of selling its operating business to Verizon in 2016, before revealing the data breach.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, Co-Director of the SEC Enforcement Division. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
Last year, Yahoo executives were pressed by members of a Senate committee to answer questions about the breach. Then-CEO Marissa Mayer was asked to describe Yahoo's efforts to notify affected users and what steps the company had taken to mitigate consumer harm.
Last month a federal judge ruled that affected Yahoo users can move forward with a lawsuit against the company. The judge turned aside Verizon's objections, saying affected users might have behaved differently had they known their data had been compromised.
Harm to investors
The SEC settlement specifically addresses investors – people who had purchased Yahoo stock without knowing the company faced a potentially expensive liability. The order found that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications.
The SEC also said Yahoo failed to reveal information about the breach to its auditors or outside counsel to learn what it was obligated to disclose.