Yahoo! Agrees to Pay $35 Million SEC Fine for Failing to Disclose Massive Cybersecurity Breach

On April 24, 2018, the United States Securities and Exchange Commission (“SEC”) announced that Altaba, formerly known as Yahoo!, agreed to pay a $35 million penalty to settle claims related to Yahoo’s failure to promptly disclose a massive data breach that the company experienced in December 2014.  Yahoo learned of the data breach within days of the December 2014 attack but did not publicly disclose the breach.  Instead, Yahoo delayed for nearly two years before disclosing that Russian hackers stole personal data relating to hundreds of millions of users’ accounts.

The Russian hackers stole what Yahoo referred to internally as the company’s “crown jewels”, which included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers.  According to the SEC, “Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”  The SEC found that, “Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.”

The SEC’s April 24, 2018 press release can be found here.  The SEC’s April 24, 2018 order in the cease-and-desist proceedings can be found here.