SEC Issues $35 Million Fine Over Yahoo Failing To Disclose Data Breach

Altaba, the company formerly known as Yahoo, will have to pay a $35 million fine for failing to disclose a 2014 data breach in which hackers stole info on over 500 million accounts. "The U.S. Securities and Exchange Commission announced today that Altaba, which contains Yahoo's remains, agreed to pay the fine to settle charges that it misled investors by not informing them of the hack until September 2016, despite known of it as early as December 2014," reports The Verge. From the report: The SEC goes on to admonish Yahoo for its failure to disclose the breach to investors, saying that the agency wouldn't "second-guess good faith exercises of judgment" but that Yahoo's decisions were "so lacking" that a fine was necessary. Yahoo isn't being fined for having poor security practices, not informing users, or really anything related to the hack happening. The SEC is just mad that investors weren't told about it, because -- as Yahoo even noted in filings to investors -- data breaches can have financial impacts and legal implications. With a breach this large, the SEC believes that was obviously a real risk. "Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors," Jina Choi, director of the SEC's San Francisco Regional Office, said in a statement. The SEC released guidance to public companies on what to disclose about data breaches earlier this year, which could help to avoid similar situations in the future.

End of Yahoo?

[jwhyche]

Does Yahoo have 35 million laying around? I Yahoo even worth this much to verizon?

Re:

[greenwow]

Verizon paid $4.48 billion for them so you would think that wouldn't be a problem.

Re:

[arglebargle_xiv]

Yahoo, will have to pay a $35 million fine for failing to disclose a 2014 data breach

"Smithers, take it from petty cash, and we're done". The GDPR may be a bit overreaching in places, but one thing they have got right is the fines, that's something companies can't ignore any more. For the first time, shareholder value will now be tied to looking after people's private details.

7c a user...

[dyfet]

Privacy is cheap according to the SEC.

Re:

[ShanghaiBill]

Privacy is cheap according to the SEC.

It is not the SEC's job to protect your privacy. This fine was about protecting the rights of investors, not users, and there were a lot less than 500 million Yahoo investors.

Re:

[whoever57]

It's not clear to me how this protects investors. The company pays the SEC, the company value goes down. The stock price goes down.

It's bullshit. The penalty should be levied against the C-level executives who hid the breach, not the company.

Re:

[PastTense]

It works by deterring future offenders, not by helping current investors.

Re:

[sexconker]

In what way is anyone deterred from doing it in the future?
Are any of the people involved imprisoned? Are we taking their money/property away?

Re:

[ShanghaiBill]

Are we taking their money/property away?

It is very likely that, as we type, some law firm is preparing a shareholder lawsuit against the executives that made the decision, to recoup some or all of the $35M.

Re:

[whoever57]

Shareholder lawsuits typically target the company, not the execs.

Which specific executives

[olsmeister]

will be paying the fine? Yeah, didn't think so.

Re:

[rmdingler]

$0.07 per stolen account. How are companies supposed to learn from their actions if they only receive a slap on the wrist?

Perhaps corporations are indeed learning from their actions. Repeated infractions have been met with punishments on the order of 50 lashes with a wet noodle... not exactly a deterrent to objectionable corporate decision-making.

Re:

[account_deleted]

Comment removed based on user account deletion

Not very punative

[Only Time Will Tell]

I would have hoped that not securing your data and allowing customer data to get into the hands of who knows who would be worth at least $1 per account affected. No need to invest in proper IT security if you have the cash on hand.

Who gets the $ ?

[rojash]

Do the cheated public ever get to see any of these so called 'fines' at all or does it all go to Uncle Sam who just encourages more of such pathetic capitalistic companies that dont care about privacy ?? Europe rocks for privacy.

Re: Who gets the $ ?

[Anonymous Coward]

Once a upon a time when the federal government was not yet a giant squid and deficit spending with no plan to ever go cash positive was not a feature of the federal budget; yes the public benefited in the sense that government had more money to spend on services without additional tax revenue. I'll gotten gains could be recorded from bad actors and society could be reembursed for some of their harms.

In the modern era there is no relationship (only a slight exaggeration) between the treasury, taxes, or othe

Re:

[epine]

Mayer should be personally fined for "misleading investors while serving as an officer of a public company" or something.

I don't see the difficulty here.

Executive bonuses should be recalculated retroactively with these kinds of fines allocated to the point of cause rather than the point of outcome, and then clawbacks all around.

At the scale of Volkswagen, this would have wiped every executive bonus off the map, with effects spread over a multiple year period.

Yahoo was failing for a long time and I suspect b

What about the rest?

[SeaFox]

Weren'tt there multiple breaches? This fine is specifically for the 2014 one.

Annoyance Fee

[mpechner]

3B in revenue. 35M fine. Like a pimple that needs to be popped.

Only $35 million!?

[NichardRixon]

Truly shocking! Have they not considered the impact this could have on investment bankers' bonuses--in this year alone?

No surprise

[nospam007]

Their Oracle told them years ago.

(Yet Another Hierarchical Officious Oracle!)