Yahoo has agreed to pay $35 million to settle charges that it misled investors by waiting nearly two years to disclose that hackers stole data relating to 500 million users, the Securities and Exchange Commission said Tuesday.
The fine is the latest development stemming from data breach occurring in December of 2014, when Russian hackers obtained email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Yahoo failed to disclose the breach until September 2016, when it was about to be acquired by Verizon.
"Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach," the SEC wrote in its order. "Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings."
The SEC adds in its order that Yahoo "acted negligently in filing materially misleading periodic reports with the Commission."
Steven Peikin, co-director of the SEC Enforcement Division, stated Tuesday that the agency doesn't "second-guess good faith exercises of judgment about cyber-incident disclosure," but added that "a company’s response to such an event could be so lacking that an enforcement action would be warranted."
Yahoo didn't admit or deny the SEC's findings.
December of 2014 was not the only time Yahoo suffered a data breach. In 2013, hackers data including names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers associated with an estimated 3 billion Yahoo accounts. Yahoo did not disclose that breach until December of 2016.
And in February of 2017, Yahoo announced a third attack in which hackers gained access to users' passwords by forging cookies.
Last month, a federal judge in California ruled that web users can proceed with a host of claims against Yahoo stemming from the data breaches.