In an ongoing investigation by the Securities and Exchange Commission, Yahoo (now Altaba) has been fined $35 million for failing to report a known data breach in two straight years of SEC filings.
Publicly traded companies in the United States are required by law to disclose any mishaps that may impact or have impacted its bottom line, giving stakeholders the chance to make informed decisions about their investments in the company.
That’s exactly what Yahoo didn’t do when it learned in 2014 that Russian hackers made off with personal data belonging to almost all its users.
“Within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts,” reads the press release.
“The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications.”
In the two years that followed, Yahoo failed to disclose the breach – and its potential business impact and legal implications – in its quarterly and annual reports. The company only offered a general disclosure that it faced the risk of data breaches, a common default practice at publicly listed companies.
The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.
Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.