January 26, 2017 by

Report: The SEC is Probing Yahoo Over Data Breaches

Authorities are investigating whether Yahoo should have reported its two significant data breaches to investors sooner than it did, according to a Wall Street Journal report.

According to sources of the publication, the Securities and Exchange Commission (SEC) has opened an investigation into Yahoo’s breach notification process. More specifically, the SEC issued requests for documents back in December to ascertain if Yahoo’s disclosures about the two massive cyberattacks complied with civil securities laws. SEC regulations require companies to immediately disclose cybersecurity risks when they are determined to have an impact on investors.

Case in point, Yahoo’s 2014 data breach saw the compromise of data belonging to nearly 500 million users. Although the company linked the incident to state-sponsored hackers that year, the breach was only disclosed in September 2016. In mid-December 2016, Yahoo claimed that it only recently discovered a 2013 data breach from August that year, one that compromised the details of over 1 billion Yahoo users.

WSJ sources further add that the SEC investigation is in its early stages and it’s still far too early in the process to determine any public action or sanctions.

According to legal experts, the SEC has been looking for a case from the past to clarify the finer details of what would qualify for a type of conduct that does not stand in compliance with the guidelines issued by the SEC in 2011. Previously, the Target breach from 2013 that saw the compromise of some 70 million credit- and debit-card accounts was disclosed weeks after the breach began. Following an investigation, the SEC recommended that Target did not need any enforcement actions.

A Precedent

Regardless, the SEC’s investigation into the Yahoo breach is certain to set a precedent. The SEC has never before brought a case against a company for failing to disclose a data breach.

It is all the more notable that Yahoo’s shares dropped immediately after each data breach disclosure.

In November 2016, with a quarterly securities filing, Yahoo claimed that it was cooperating with a number of agencies, “federal state and foreign”, that sought information on the 2014 breach. Those agencies included the SEC.

The WSJ report also points to one insider who claims that Yahoo initially believed those impacted by the breach to be fewer than the 500 million users that the tech giant eventually disclosed. In an SEC filing, the company’s board of directors also claimed that they appointed a committee to investigate “the scope of knowledge within the Company” in relation to the 2014 breach.

Verizon Deal in Danger?

The two breach disclosures by Yahoo came after it had already agreed to sell its core business to telecom giant Verizon in July 2016. Verizon has since stated that it is studying whether the breaches’ revelations result in a drop in Yahoo’s user base before proceeding with the deal.

It remains to be seen if the deal stands to be renegotiated or even terminated in light of two of the biggest data breaches ever revealed.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Expedia’s Orbitz: 880,000 Payment Cards Struck by Data Breach

Orbitz, a subsidiary of online travel giant Expedia has revealed a data breach wherein hackers may...

Read more arrow_forward

SEC Publishes Guidance on Cybersecurity Breach Disclosures

In the aftermath of the sweeping, infamous breach of Equifax, the SEC has now provided additional...

Read more arrow_forward

Data Breach: Florida Warns of 30,000 Medical Records Leak Due to Phishing

Florida’s health agency has warned of a data breach that may have exposed the data of up to 30,000...

Read more arrow_forward