April 24 (UPI) — Federal regulators on Tuesday fined Altaba, the company formerly known as Yahoo, $35 million for failing to disclose a data breach four years ago that compromised the personal data of hundreds of millions of accounts.
Yahoo notified the public about the data breach — which included usernames, email addresses, phone numbers and passwords — in 2016, two years after the company learned about it. The details of the hacking became public during Verizon’s acquisition of Yahoo.
The Securities and Exchange Commission said Yahoo didn’t properly investigate the cyberbreach and the lack of disclosure left investors in the dark.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, co-director of the SEC Enforcement Division. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
Verizon acquired Yahoo’s operating business for $4.5 billion in 2017 and renamed it Altaba.
Sen. Mark Warner, D-Va., welcomed the decision by the SEC.
“I’ve been saying for years that Yahoo’s failure to notify customers and investors about its massive data breach didn’t pass the smell test. Holding the company accountable is important, and I hope others will learn you can’t sweep this kind of thing under the rug,” he said.