US regulator imposes $35m fine over Yahoo data breach

Failure to disclose 2014 security breach ‘a complete corporate failure’, regulator says

Altaba, formerly called Yahoo, will pay $35 million to settle charges it misled investors by failing to disclose a massive 2014 security breach, the US Securities and Exchange Commission said on Tuesday.

The fine is the first the SEC has levied against a public company for failing to disclose a cyber breach and comes as the agency tries to impress upon businesses the need for proper controls and procedures around cyber security.

"We do not seek to second-guess good-faith disclosure decisions. But this case is not about that," said Steven Peikin, co-director of the SEC's division of enforcement, on a call with reporters.

He said there was “a complete corporate failure to disclose information about the data breach that was widely known and readily available in the company”.


The SEC did not announce any charges against executives at Yahoo. Mr Peikin said the agency’s investigation was continuing and it had not made any decisions about the conduct of individuals.

Yahoo was attacked in 2014 by Russian hackers and details about hundreds of millions of user accounts were stolen. The information, including encrypted passwords and security questions and answers, were referred to internally as Yahoo’s “crown jewels”, said the SEC.

The company did not tell investors about the attack until September 2016, after it had agreed a deal to sell its operating business to Verizon. The agency said Yahoo did not share information about the breach with its auditors or outside counsel.

“This case I think represents a very, very substantial shortfall in even the modest expectations of what companies should be doing in these situations,” said Mr Peikin. – Copyright The Financial Times Limited 2018