Altaba, Formerly Yahoo, Fined $35M for Failing to Disclose Russian Hack

The company formerly known as Yahoo has been handed a $35 million for deceiving investors by failing to disclose one of the biggest data breaches in internet history, AFP reported.

According to an order by the Securities and Exchange Commission, within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.  All of Yahoo’s email and other digital services were sold to Verizon Communications for $4.48 billion last year.

“Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.  The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc.,” the SEC said.

The U.S. Justice Department announced charges last year against four men, including two officers in Russia’s Federal Security Service, for their roles in the theft of 500 million Yahoo accounts.

One of them, Karim Baratov, a 23-year-old Canadian citizen born in Kazakhstan, pleaded guilty late last year to charges related to helping Russian intelligence agents break into email accounts as part of a massive 2014 breach.

Baratov was expected to be sentenced on Tuesday for his role in the Yahoo hack, but a judge delayed the decision. The prosecutors are asking for an eight year prison sentence.

During its investigation into the 2014 breach, Yahoo uncovered a separate 2013 breach that compromised all 3 billion of its accounts, which is by far the largest known breach of consumer information.