FOLLOW US

Massive Cybersecurity Breach

The Securities and Exchange Commission announces Altaba’s failure to disclose a massive cybersecurity breach, dating back to 2014. In doing so Altaba, formerly known as Yahoo! Inc., agrees to pay a $35 million penalty to settle charges. Altaba is negligent in misleading investors by failing to disclose one of the world’s largest data breaches. For context, the breach was extensive in that hackers stole personal data relating to hundreds of millions of user accounts.

“According to the SEC’s order, within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.” – Securities and Exchange Commission

Despite knowledge of the behemoth breach, Yahoo senior managers and its legal department fail to properly investigate the breach. Furthermore, adding fuel to the fire, the executives decide not to disclose the breach to investors. More troublesome is that Yahoo’s nondisclosure of the material fact (the breach) does not occur until more than two years later, in 2016. Take note that during this time, Verizon Communications, Inc., is in the process of acquiring Yahoo’s operating business.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, Co-Director of the SEC Enforcement Division.

Lack of Cyber-Disclosure and Fine

The fact remains that Yahoo’s failure to implement the appropriate controls to assess its cyber-disclosure obligations constitutes an unprecedented level of neglect. The expectation is that public companies possess the controls and procedures to properly evaluate and mitigate cyber incidents. Equally paramount is Yahoo’s responsibility to disclose material information to investors in a timely manner.

Yahoo neither admits nor denies the findings of the SEC order, and pays the $35 million fine.