US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo’s “crown jewels.”
The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen ‘crown jewel’ data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.
While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” SEC San Francisco regional office director Jina Choi said in a release.
“Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Although Yahoo is no longer an independent company — its financial holdings are in a separate company now called Altaba — Verizon has continued to operate the Yahoo brand, including its email service and a variety of news and entertainment websites.
Oath includes the Yahoo internet operations along with those of another former internet star, AOL.
In addition to the 2014 breach, a hack the previous year affected all three billion Yahoo user accounts, according to findings disclosed by Verizon after the acquisition.
The US Justice Department charged two Russian intelligence operatives and a pair of hackers over one of the attacks, which had apparent twin goals of espionage and financial gain.
Yahoo, which was once one of the leading internet firms, sold its main online operations to Verizon last year in a deal valued at $4.48 billion.
The purchase price was cut following revelations of the two major data breaches at Yahoo.