Yahoo left “its investors totally in the dark about a massive data breach,” Jina Choi, director of the SEC’s San Francisco regional office, said in a statement.
Yahoo, which sold its core business to Verizon last year for $4.8 billion and renamed itself Altaba, did not admit wrongdoing as part of the settlement. The company declined to comment. SEC officials declined to comment on whether any former or current executives could be held personally responsible for the lapse, noting that the investigation is ongoing.
The case highlights a common complaint in the wake of a growing number of cyber breaches: Companies often take months, sometimes years, to disclose a suspected breach, if they report them publicly at all. Equifax, for example, disclosed last year that hackers had obtained sensitive information, including Social Security numbers and dates of birth, for more than 143 million people. The breach began in May and was discovered by the company at the end of July, but it wasn’t reported to the public until September.
In the Yahoo case, company executives failed to tell the public about the hack even after learning that sensitive information that it referred to as “crown jewels” had been stolen, according to the SEC. The hackers also gained access to the email accounts of 26 Yahoo users who had connections to Russia, according to SEC court documents. Eventually, Yahoo would reveal that information about all 3 billion of its users had been stolen as part of a separate breach.
“I’ve been saying for years that Yahoo’s failure to notify customers and investors about its massive data breach didn’t pass the smell test,” Sen. Mark R. Warner (D-Va.) said Tuesday on Twitter. “Holding the company accountable is important, and I hope others will learn you can’t sweep this kind of thing under the rug.”
The SEC is not trying to second-guess good-faith efforts by companies to properly respond to a cyber breach, said Steven Peikin, co-director of the SEC enforcement division. “We are aware of the challenges that companies face” from hackers, he said, but the Yahoo case reflected a “complete corporate failure.”
Peikin said the first-of-its-kind fine “should serve as a message to other companies.”