The company formerly known as Yahoo has agreed to pay a $35m penalty to the Securities and Exchange Commission after failing to notify the market promptly about a breach of hundreds of millions of accounts.
The December 2014 breach of around 500 million accounts resulted in usernames, email addresses, encrypted passwords, birthdates, phone numbers and security questions ending up in the hands of alleged Russian state hackers.
Last year, the Department of Justice charged four Russians: FSB officers Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, and two cyber-criminals they are said to have conspired with, Alexsey Belan and Karim Baratov.
The latter has pleaded guilty and is currently awaiting sentencing, although the others are thought to be at large.
The SEC claimed that Yahoo’s senior management and legal department knew “within days” of the intrusion that hackers had stolen the crown jewels but failed to investigate properly or consider whether investors needed to know.
In fact, the firm failed to notify over several quarterly and annual reports, saying only in its SEC filings that it faced the risk of breaches.
This meant that the incident was only disclosed when Verizon came to buy the company in 2016.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said SEC regional office director, Jina Choi. “Public companies should have controls and procedures in place to properly evaluate cyber-incidents and disclose material information to investors.”
The breach is separate to the 2013 incident which the firm admitted last year hit all three billion accounts.
Although Verizon subsequently received a major $350m discount on the original agreed price for Yahoo, it is still picking up the pieces financially of the company’s past mistakes, with ongoing lawsuits pending.
However, this fine will be owed not by Verizon but the new Yahoo holding company known as Altaba.