The Securities and Exchange Commission on Tuesday announced a $35 million fine against the company formerly known as Yahoo for failing to tell investors about a massive cyber breach for two years, the first time the regulator has punished a company for such conduct.
The Web giant learned in 2014 that Russian hackers had stolen the user names, email addresses and other key user data of 500 million of its users, the largest breach of its kind at the time. But it didn’t tell investors about it for nearly two years, according to the SEC.
Yahoo left “its investors totally in the dark about a massive data breach,” Jina Choi, director of the SEC’s San Francisco regional office, said in a statement.
Yahoo, which sold its core business to Verizon last year for $4.8 billion and renamed itself Altaba, did not admit wrongdoing as part of the settlement. The company declined to comment. SEC officials declined to comment on whether any former or current executives could be held personally responsible for the lapse, noting that the investigation is ongoing.
The case highlights a common complaint in the wake of a growing number of cyber breaches: Companies often take months, sometimes years, to disclose a suspected breach, if they report them publicly at all. Equifax, for example, disclosed last year that hackers had obtained sensitive information, including Social Security numbers and dates of birth, for more than 143 million people. The breach began in May and was discovered by the company at the end of July, but it wasn’t reported to the public until September.
In the Yahoo case, company executives failed to tell the public about the hack even after learning that sensitive information that it referred to as “crown jewels” had been stolen, according to the SEC. The hackers also gained access to the email accounts of 26 Yahoo users who had connections to Russia, according to SEC court documents. Eventually, Yahoo would reveal that information about all 3 billion of its users had been stolen as part of a separate breach.
“I’ve been saying for years that Yahoo’s failure to notify customers and investors about its massive data breach didn’t pass the smell test,” Sen. Mark R. Warner (D-Va.) said Tuesday on Twitter. “Holding the company accountable is important, and I hope others will learn you can’t sweep this kind of thing under the rug.”
The SEC is not trying to second-guess good-faith efforts by companies to properly respond to a cyber breach, said Steven Peikin, co-director of the SEC enforcement division. “We are aware of the challenges that companies face” from hackers, he said, but the Yahoo case reflected a “complete corporate failure.”
Peikin said the first-of-its-kind fine “should serve as a message to other companies.”