Yahoo has agreed to pay a $35 million penalty after failing to properly notify customers and investors that hackers had compromised hundreds of millions of user accounts, the Securities and Exchange Commission (SEC) announced Tuesday.
Yahoo, which was rebranded after being purchased by Verizon last year, first learned about the cyber intrusion in December 2014, but did not alert the public until December 2016, according to the SEC’s order.
While Yahoo agreed to pay the charges without admitting or denying wrongdoing, this settlement reportedly marks the first time the SEC has pursued a company for failing to properly disclose a cyber breach.
The company's information security team first discovered that Russian hackers had obtained a trove of personal user information in their hack four days after the breach took place, the SEC order says. The cyber criminals gained access to internal data such as usernames, email addresses, passwords, phone numbers and birthdates, as well as security questions and answers for hundreds of millions of accounts.
Yahoo, which internally described this sort of personal data as the "crowned jewels," only disclosed the breach to the public when Verizon was in the process of acquiring Yahoo's operating business, which it did in June, the SEC said.
"Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors," the SEC said.
After the hack, the company continued to file both quarterly and annual reports that failed to disclose how one of the world’s largest data breaches could affect their potential business. In addition, the company did not seek an outside party to assess the impact of the hack, the SEC found.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Steven Peikin, co-director of the SEC Enforcement Division, said in a statement.
The SEC order also found that Yahoo failed to have procedures in place to deal with such a breach or the threat of future hacks, as well as how to disclose such incidents in a timely and proper fashion.
"Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," Jina Choi, director of the SEC's San Francisco Regional Office, also said in a statement.
“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors,” Choi added.
Yahoo has since changed the company's name to Altaba.