U.S regulators have fined Altaba, the company formerly known as Yahoo! Inc., $35 million on Tuesday. This money was demanded to settle the charges that kept its 2014 cyber-security breach a secret from their investors for more than 2 years.
The Securities and Exchange Commissions case marks the first time it has gone after a company for failing to disclose a cyber-security breach. Altaba has agreed to settle without admitting or denying any wrongdoing on their part.
A spokesman from Altaba did not immediately respond immediately to a request for comment.
Yahoos information security team learned just 2 days later that the breach in December 2014 had led to the company’s data being stolen by Russian hackers. This included “crown jewels,” emails addresses, encrypted passwords, and security questions as claimed by SEC in a statement.
Despite being aware of this security-breach and reporting to Yahoo’s senior management and legal department, the company failed to investigate it properly and did not disclose it to the public until after 2 years.
This breach was disclosed when Verizon bought Yahoo last year. The U.S. Justice Department announced charges against four men including 2 officers in Russia’s Federal Security Service, for their roles in stealing 500 million Yahoo Accounts.
One of the hackers, Karim Baratov- a Canadian citizen born in Kazakhstan pleaded guilty last year to charges for helping Russian Intelligence agents break into email accounts in 2014’s breach.
Yahoo also admitted last fall that in a separate August 2013 hack, 3 billion user accounts had their data stolen which was one of the largest hacks of all times apart from the 2014 hack that is currently being subjected by the SEC.
Co-Director of the SEC Enforcement Division, Steven Peikin, said in a statement that, “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
You can read the entire SEC release here