This is the first time that a public company gets fined by regulators for failure to properly investigate their 2014 data breach, and disclose it to shareholders.
Technically this is not Yahoo anymore, but their new owner Altaba, and the Wall Street Journal just reported that “The Securities and Exchange Commission said Tuesday that Altaba Inc., formerly Yahoo, failed to properly investigate the breach and consider whether it should be disclosed to shareholders.”
“The SEC said the company knew within days of the breach that Russian hackers had obtained usernames, phone numbers, birth dates, encrypted passwords, and security questions and answers for at least hundreds of millions of users, and perhaps billions. Yet Yahoo didn’t disclose the hack until 2016.”
For almost two years Yahoo continued to publish generic investor disclosures about the risk of being hacked when it knew that it had already been a victim of a significant breach.
“The allegations in the complaint illustrate a complete corporate failure to disclose a data breach that was widely known and readily available in the company,” said Steven Peikin, co-director of the SEC’s enforcement division.
In late February 2018, the SEC released an interpretation of their current guidance on public company cyber disclosures. (When the SEC releases an interpretation of their own SEC staff guidance, this means they expect companies to follow their new interpretation, even though the official requirements did not change).
This publication (PDF) by Deloitte summarizes the SEC’s views on how the existing rules should now be interpreted and provides a comparison to the original 2011 cybersecurity related disclosure requirements.
The Justice Department last year announced the indictments of two officers of Russia’s FSB (the successor of the KGB) for their roles in masterminding the hack, which penetrated accounts belonging to U.S. military officials and employees of firms in the banking, finance and transportation sectors.
Here’s how the FBI says they did it:
The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened. Unimaginable that Yahoo did not sufficiently step employees through a security awareness training, such as KnowBe4, to prevent disasters like this.