The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world's largest ever computer security breaches.
Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions – had been grabbed by Russian hackers back in December 2014 – just days after the break-in occurred.
Security staff informed senior Yahoo! management and its legal department, who then demonstrated the same kind of business and strategic nous that saw the company fold into itself when they decided to, um, not tell anyone.
Yahoo! webmail! hacker! faces! nearly! eight! years! in! the! cooler!READ MORE
It wasn't until two years later when telco giant Verizon said it wanted to buy the troubled company that Yahoo! finally revealed the massive breach.
The SEC is, understandably, not overly impressed. "Yahoo! failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors," it said Tuesday, before the co-director of its enforcement division, Steven Peikin, gave what amounts to a vicious burn in the regulatory world.
"We do not second-guess good faith exercises of judgment about cyber-incident disclosure," said Peikin. "But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case."
Another SEC staffer – director of its San Francisco office, Jina Choi, also piled in, noting that: "Yahoo!’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors."
So, about that...
Yahoo! should have let investors know about the massive breach in its quarterly and annual reports because of the huge business and legal implications to its business, the SEC said.
But it didn't of course – probably because it was already desperate to get someone to buy it following years of abortive efforts by CEO Marissa Meyer to turnaround what was once the internet's poster child.
The SEC also found that Yahoo! did not share information on the breach with either auditors or its outside lawyers. The Canadian who helped the Russians gain access to the data faces eight years in jail.
Yahoo! has "neither admitted nor denied the findings in the SEC's order" - which is so Yahoo!.
For some reason Verizon still bought the dried out husk of the company in June 2017, although it extracted a significant reduction in the share price. It paid $350m less than its initial offer but it is estimated that it will cost Verzion $500m to clean up the mess Yahoo! left behind.
Showing just how far the company had fallen in people's good graces, it then changed its names to Altaba. That's Altaba. No, try again, Altaba. Whatever.
Well, Altaba is still on the hook for the hack, with a judge last month refusing to thrown out a lawsuit brought by users against the company.
Part of the final bill may be covered by the sale this week of once-lauded photo site Flickr, which Yahoo! bought for around $25m in 2005 and also managed to screw up. It was bought for an undisclosed amount by popular photo site SmugMug.
Oh, and earlier this month, Yahoo! Mail relaunched and revamped itself. Will anyone care? ®