The United States Securities and Exchange Commission has fined Yahoo (or what's left of the company) $35 million for failing to disclose a massive security breach that took place in 2014.
The fine is for the first Yahoo data breach that came to light in 2016 —the one where hackers stole the usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions for over 500 million Yahoo users.
Yahoo admitted to a second data breach later in 2016. This data breach took place in 2013, and Yahoo said a "state-sponsored actor" stole the details for over one billion users.
The SEC has fined Yahoo for failing to disclose the breach to its shareholders.
The fine comes after Yahoo filed its quarterly documents in November 2016, two months after announcing the first breach, admitting that it knew about the breach since 2014, and not 2016, when the breach became public. This meant that Yahoo leadership purposely hid the data breach.
The SEC argues that Yahoo failed to protect shareholders when it hid the security breach, nor did it share this data with auditors or any outside counsels responsible for its public filings during that time, something against SEC policy.
Furthermore, the SEC also sanctioned Yahoo for failing to set up proper disclosure controls and procedures for its information security team, arguing that reports from the company's security staff were never taken into consideration in its public filings.
The fine is small in comparison to Yahoo's value. Verizon bought parts of the original Yahoo company for $4.83 billion.
Verizon renamed the Yahoo sections it acquired as Oath, while the leftover Yahoo divisions renamed into Altaba. The latter must now pay the SEC fine.
Yahoo is also facing several class-action lawsuits regarding the 2013 and 2014 breaches.
The US charged four hackers for the Yahoo 2014 data breach for which Yahoo was fined today. Two of the alleged hackers are Russian intelligence agents, while the other two are a Russian hacker named Magg, and a Russian national living in Canada.
By coincidence, the latter, a 23-year-old named Karim Baratov, was supposed to be sentenced today, but the judge delayed his sentencing for next month, with the judge seeking additional information regarding sentencing decisions in similar cases.
Prosecutors asked for a seven years and ten months prison sentence. The other three accused are still at large.