Altaba, the legal entity that used to oversee Yahoo Inc.’s search engine and email service, has agreed to pay a $35 million fine from an American regulator for failing to disclose to investors a massive breach in 2014 until two years after it was discovered.
The U.S. Security and Exchange Commission (SEC) made the announcement Tuesday, saying the agreement settles charges that Altaba misled investors by not disclosing that it knew within days of the December 2014 intrusion that Russian hackers had stolen usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
Separately on Tuesday, the sentencing in San Francisco of Canadian Karim Baratov, who pleaded guilty to being involved in a Yahoo breach, was delayed to May 29 reports CBC News. Prosecutors are asking for close to an eight-year sentence.
Verizon Communications bought the search engine and email assets of Yahoo last summer. The remaining pieces of the company were called Altaba, which owns part of the Chinese Internet giant Alibaba.
According to the SEC, while agreeing to pay the fine Altbaba neither admitted nor denied the findings in the SEC’s order.
The SEC says that while Yahoo’s senior management and legal department were told about the breach shortly after it was discovered, the company failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. Only when Yahoo was in the process of closing the deal to sell its operating business to Verizon did it admit to knowing about the breach.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” Steven Peikin, co-director of the SEC Enforcement Division, said in a statement. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about the massive data breach, said the SEC. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.
The SEC concluded that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the filings stated that Yahoo faced only the risk of, and negative effects that might flow from, data breaches. Nor diid Yahoo share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.
The SEC also found that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Baratov, a 23-year-old from Hamilton. was described by American officials as an “international hacker for hire,” is facing prison time on convictions of one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft over several years. U.S. officials said he hacked into the webmail accounts of 11,000 victims, broke into their digital records, and sold stolen access to their private lives between 2010 and 2017.
According to CBC, a memorandum filed by U.S. law enforcement officials described a “pressing need” for a long sentence to deter cybercriminals whose hacking can lead to other criminal activity, including foreign espionage. However, on Tuesday the judge asked prosecutors to explain why the Canadian should get almost eight years in prison. That would be longer than what other hackers had received for similar crimes, the judge said, who also stressed that Baratov was not behind the Yahoo hack.
Baratov’s lawyers told Canadian reporters that their client hacked only eight accounts and did not know he was working for Russian agents connected to the Yahoo breach.
Others charged with Baratov remain at large in Russia.