Yahoo — or rather, the shell company holding on to its remnants — will have to pay a $35 million fine for failing to disclose a 2014 data breach in which hackers stole info on over 500 million accounts, The Verge reports.
The US Securities and Exchange Commission announced today that Altaba, which contains Yahoo’s remains, agreed to pay the fine to settle charges that it misled investors by not informing them of the hack until September 2016, despite knowing of it as early as December 2014.
The SEC goes on to admonish Yahoo for its failure to disclose the breach to investors, saying that the agency wouldn’t “second-guess good faith exercises of judgment” but that Yahoo’s decisions were “so lacking” that a fine was necessary.
Yahoo isn’t being fined for having poor security practices, not informing users, or really anything related to the hack happening. The SEC is just mad that investors weren’t told about it, because — as Yahoo even noted in filings to investors — data breaches can have financial impacts and legal implications. With a breach this large, the SEC believes that was obviously a real risk.
“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors,” Jina Choi, director of the SEC’s San Francisco Regional Office, said in a statement.
The SEC released guidance to public companies on what to disclose about data breaches earlier this year, which could help to avoid similar situations in the future.
The hack is said to be done by Russian agents and other criminals, who the US Justice Department is attempting to prosecute. They obtained data from Yahoo including usernames, email addresses, encrypted passwords, birthdates, phone numbers, and security questions.
Yahoo revealed the breach shortly after reaching an agreement to be purchased by Verizon in July 2016. That acquisition has since closed, but Verizon didn’t purchase all of Yahoo. And apparently it left behind the portion that was liable for this failure.
That’s likely because the Yahoo that Verizon purchased (which contained basically everything you would publicly identify as Yahoo) was spun off of the original company. At the same time, the original company was renamed from Yahoo to Altaba. Altaba is largely just a holding company for Yahoo’s valuable investment in Alibaba.
It appears that the Yahoo owned by Verizon could still be liable for the data breach, though. Last September, a judge gave the go-ahead to lawsuits released to that and one other hack of the company.