Although some of the culprits behind Yahoo’s 2014 security breach have been caught, it seems that the company’s problems have only just begun. In light of its failure to disclose the hack properly, the Securities and Exchange Commission (SEC) has decided to issue Yahoo with a hefty $35 million fine.
This isn’t Yahoo’s first blunder, as the company had previously seen over a billion users vulnerable to stolen information that reportedly fell short of taking financial data back in 2013.
The 2014 breach is believed to have been the work of Russian spies and hackers that were later apprehended after stealing the data of 500 million users. This ranged from usernames and email addresses to their accompanying passwords, birth dates, phone numbers, and security questions and answers.
While the SEC has said that Yahoo’s information security had identified the intrusion and reported it to the company’s senior management and legal department, it was not investigated to a satisfying standard. Furthermore, the information was kept from investors for more than two years, only revealing the information when Verizon expressed interest in purchasing Yahoo in 2016.
“Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said director of the SEC's San Francisco Regional Office, Jina Choi. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” concluded the co-director of the SEC's Enforcement Division Steven Peikin. “But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
KitGuru Says: This is Yahoo’s own doing, meaning that the company has no choice but to step up and admit responsibility. Still, this is quite a blow to the company that could spell trouble in the long-term.