A publicly traded company agreed to pay a $35 million civil money penalty to settle SEC charges of misleading investors by failing to disclose a significant cybersecurity breach in which hackers stole data from over 500 million user accounts. The company, formerly known as Yahoo! Inc. ("Yahoo," now known as Altaba, Inc. after it was acquired by Verizon Communications, Inc. ("Verizon")), was a prominent global Internet media company.
As explained in a Cease-and-Desist Order, the SEC determined that Yahoo became aware in December 2014 of a massive breach in which private user information – including usernames, email addresses, dates of birth, passwords, and security questions and answers – was accessed and stolen by Russian hackers. Despite knowledge of the breach, Yahoo allegedly failed to launch a sufficient investigation as to its scope, business impact and disclosure implications. In addition, Yahoo allegedly failed to inform outside counsel or auditors, and did not report the incident in SEC filings or to the affected users. The SEC found that Yahoo did not inform Verizon of the breach, or of subsequent indications that hackers were continuously targeting Yahoo users, as acquisition talks progressed between the two companies.
Yahoo ultimately disclosed the data breach to the public in September 2016, after which it agreed with Verizon to reduce the acquisition price by $350 million.
Yahoo made no admissions in connection with the settlement.
Available only to Cabinet Premium subscribers.
Combining regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.