Yahoo pays $35 million penalty to settle S.E.C. charges of misleading investors by failing to disclose data breach of 500 mill. users

Yahoo has agreed to pay the Securities and Exchange Commission $35 million to settle charges that it misled its investors in failing to disclose a massive data breach in which hackers stole the personal data of more than 500 million Yahoo users.In December 2014, Russian hackers stole what Yahoo’s security team referred to as the company’s “crown jewels” —  usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. According to the S.E.C. findings, Yahoo learned of the data breach in late 2014 affecting the 500 million users, Despite its knowledge, Yahoo did not disclose the breach in its public filings until 2016. In its annual and quarterly reports, the company said that it only faced the risk of potential future data breaches.  In addition, although Yahoo was aware of additional evidence in the first half of 2016 revealing that its user database had been stolen, Yahoo denied the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, which eventually purchased Yahoo. The stock purchase agreement was filed with a form 8-K filed with the Securities and Exchange Commission in July 2016.

Verizon Communications, Inc. bought Yahoo’s operating business in June 2017. After the acquisition, Yahoo became known as Altaba Inc. Yahoo is still one of the world’s largest internet media companies providing over one billion users worldwide with products and services. The company is publicly traded. In addition to the failure of Yahoo to disclose the data breach to the investors, Yahoo’s senior management did not disclose information about the breach with Yahoo’s auditors or outside counsel. During the internal investigation, the company’s Chief Security Officer concluded that Yahoo’s entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions. Despite this information, which was communicated to a senior management person, nothing was said to anyone outside the company and Yahoo affirmatively represented to Verizon that it was unaware of any security breaches in its stock purchase agreement.

Jeffrey Newman represents whistleblowers.