Altaba, the company formerly known as Yahoo, has agreed to pay a £25 million fine to the US Securities and Exchange Commission (SEC) for failing to disclose the massive security breaches it suffered back in 2014.
The 2014 attack on Yahoo's server infrastructure saw millions of users' personal details leaked, including names, email addresses, telephone numbers, dates of birth, hashed passwords, and unencrypted security questions and answers. It wasn't until 2016 that the company went public with news of the breach, despite it having known about the breach two years prior - and it's the delay between the company being alerted to the issues and its users and investors receiving the same information which has now come around to bite it in the wallet in the form of a fine from the US Securities and Exchange Commission (SEC).
'We do not second-guess good faith exercises of judgement about cyber-incident disclosure,' SEC Enforcement Division co-director Steven Peikin explains. 'But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.'
'Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,' adds regional director Jina Choi. 'Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.'
The SEC's findings in the case include a failure to disclose the breach over a two-year period, with the company's SEC's filings warning only of potential risk of future breaches and nothing about the breach it had already experienced, failed to disclose information on the breach with auditors and outside counsel, and failed to maintain disclosure controls and procedures that would have avoided the delay.
Since its acquisition in 2017 by communications giant Verizon, a deal which was heavily discounted in the wake of the breach's disclosure, Yahoo has changed its name to Altaba and recently sold off its photography business, Flickr. Neither of these facts, however, will allow it to dodge the SEC's ruling, which has issued the company with a £25.06 million fine for its actions - and inaction - following the breach.
November 22 2019 | 13:00