The company formerly known as Yahoo agreed to pay a $35 million fine for failing to disclose its massive 2014 data breach to investors, the Securities and Exchange Commission said Tuesday.
The fine was levied on Altaba, which bought Yahoo’s operating business in 2017, to settle charges stemming from the cyber intrusion.
“We do not second-guess good faith exercises in judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted,” Steve Peikin, co-director of the SEC Enforcement Division, said in a statement. “This is clearly such a case.”
Yahoo first discovered in December 2014 that Russian hackers had stolen personal information, including usernames, email addresses, phone numbers, birth dates, and passwords for more than 500 million users, according to the SEC.
Top officials at the company were notified about the breach, but according to the U.S. regulators, the company never investigated the circumstances of the cyber breach and failed to “adequately consider” whether investors should also be told.
Shareholders and the public did not learn that Yahoo had been hacked until 2016, when the company was in the process of being sold to Verizon.
According to the SEC, Yahoo filed numerous quarterly and annual reports during the two years after its system was hacked that did not disclose the cyber intrusion or its impact. The company instead said in its SEC filings that there was a risk of data breaches.
A federal grand jury indicted four people, two of which are Russian intelligence agents, last year for hacking Yahoo’s systems and stealing information from the hundreds of millions of Yahoo accounts.
One of the conspirators, 22-year-old Karim Baratov of Canada, pleaded guilty for his role in the scheme last year.
