Photo By Scott Schiller
Written By Jeremy Kirk
The U.S. Securities and Exchange Commission says Yahoo has agreed to a $35 million civil fine to settle accusations that it failed to promptly notify investors about a December 2014 data breach.
The enforcement action puts public companies on notice that the SEC doesn’t look kindly upon efforts to conceal or downplay data breaches.
Yahoo, which has renamed itself Altaba, has neither admitted nor denied the allegations – as is typical in such enforcement actions, the SEC says.
But the SEC says that despite Yahoo learning within days of a December 2014 breach that it had been attacked by Russian hackers, the search giant waited nearly two years to disclose the breach to investors. The regulator’s probe into Yahoo’s breach notification speed reportedly launched in December 2016 (see SEC Reportedly Probing Yahoo’s Breach Notification Speed).
“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
—Jina Choi, director of SEC’s San Francisco office
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” says Jina Choi, director of the SEC’s San Francisco regional office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Altaba couldn’t be immediately reached for comment.
The SEC’s enforcement action has been praised by some lawmakers. “Investors have a right to know whether companies are taking cybersecurity seriously,” says Rep. Jim Langevin, D-R.I. “[The] announcement of a $35 million fine in response to Yahoo’s failure to disclose its massive 2014 data breach is a long overdue first step toward providing real protections for investors. I agree that we should ‘not second-guess good faith exercises of judgment’ by executives, but the bias should be toward disclosing a breach, not burying it.”
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned breach notification service, says that the $35 million fine will “surely cause organizations to think a bit more” about data security.
Many organizations publicly say that security is a top priority, but that often is not necessarily reflected in their IT spending, Hunt says. “There seems to be a degree of lip service [to security],” he says.
‘Crown Jewels’ Stolen
Yahoo disclosed the 2014 breach in September 2016 as it was negotiating its sale to Verizon. Due to the severity of the breach, Verizon closed its acquisition of Yahoo in June 2017 for $4.48 billion, around $350 million lower than the initial asking price.
Under the terms of the acquisition, Yahoo must pay half of all costs related to government investigations and third-party litigation. Yahoo did not carry cybersecurity insurance.
The December 2014 breach affected 500 million users. The SEC’s order says the stolen data included Yahoo’s “crown jewels,” including email addresses, user names, phone numbers, birthdates, hashed passwords as well as unencrypted security questions and answers.
“The bias should be toward disclosing a breach, not burying it.”
—Rep. Jim Langevin
Following the breach, Yahoo filed regular SEC reports in which it only outlined the risks of a data breach without disclosing that it had been attacked. The SEC alleged that Yahoo did not share information about the breach with outside auditors or counsel “in order to assess the company’s disclosure obligations in its public filings.”
The SEC adds: “Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”
Yahoo has a complicated breach disclosure history. After Yahoo disclosed the 500 million breached accounts in September 2016, it revised that tally in December 2016 to 1 billion accounts. It also said at that time attackers had forged cookies, allowing them to directly access some accounts.
In March 2017, four men, including two Russian FSB agents, were indicted on charges related to intrusions into Yahoo, Google and other webmail providers (see Russian Spies, Two Others, Indicted in Yahoo Hack).
Former Yahoo CEO Marissa Mayer told a Congressional committee in November 2017 that it was tough for any corporation to defend against nation-state attackers. She testified that Russian intelligence officers and state-sponsored hackers were responsible for sophisticated attacks on the company’s systems (see Former Yahoo CEO: Stronger Defense Couldn’t Stop Breaches).
“Even robust defenses … aren’t sufficient to protect against the state-sponsored attack, especially when they’re extremely sophisticated and persistent,” Mayer testified.
Just a month prior to Mayer’s testimony, Yahoo disclosed that a 2013 breach compromised virtually its entire user base, encompassing some 3 billion accounts (see Yahoo: 3 Billion Accounts Breached in 2013).
A class-action lawsuit against Yahoo is still winding its way through federal court in San Jose, California. Similar to the SEC’s allegations, the plaintiffs allege Yahoo waited too long to disclose breaches. Some of the plaintiffs allege the Yahoo breaches resulted in fraudulent charges on their cards and spam in their accounts (see Federal Judge: Yahoo Breach Victims Can Sue).
One of the four men who was charged, Alexsey Belan, has been accused of using his access to Yahoo to search for credit and gift card numbers. He has also been accused of using Yahoo account information to facilitate spam campaigns.
Executive Editor Mathew Schwartz also contributed to this report.