Yahoo may have changed its name, but it’s still paying for a massive 2014 data breach.
Altaba, what’s left of Yahoo after the company sold most of its properties, has agreed to pay $35 million to settle charges that it misled investors about the hack, the US Securities and Exchange Commission said Tuesday.
In 2017, Yahoo completed the sale off its core business to Verizon for $4.48 billion. It retained large stakes in e-commerce company Alibaba and Yahoo Japan and changed its name to Altaba.
Yahoo knew that Russian hackers had obtained personal information from about 500 million of its users just days after the breach, according to the SEC. But it didn’t tell its investors and the public until two years later.
The information included birth dates, phone numbers and encrypted passwords.
Altaba told CNN it had no comment on the SEC’s announcement. The SEC statement says Altaba did not admit to or deny the findings.
In November 2017, a 22-year-old Canadian man named Karim Baratov pleaded guilty to one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft. He will be sentenced this week. Earlier in 2017, the Justice Department also indicted two Russian spies and two cybercriminals for the breach.
The breach was separate from a 2013 hack that compromised every single Yahoo account — all 3 billion of them, including email, Tumblr, Yahoo Fantasy and Flickr. The number was more than three times the amount Yahoo originally reported.
Other punishments for the 2014 breach could still be in the works from other agencies like the Federal Trade Commission. Shareholders have filed lawsuits against the company, including some class-action suits.
A 2016 SEC filing said the company was cooperating with US and foreign government agencies investigating the incident.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said SEC San Francisco director Jina Choi in a statement. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
CNNMoney (San Francisco) First published April 24, 2018: 4:27 PM ET