Ex-Yahoo paying $35M to settle SEC charges over 2014 hack
WASHINGTON (AP) — The company formerly known as Yahoo is paying a $35 million fine to resolve federal regulators’ charges that the online pioneer deceived investors by failing to disclose one of the biggest data breaches in internet history.
The Securities and Exchange Commission announced the action Tuesday against the company, which is now called Altaba after its email and other digital services were sold to Verizon Communications for $4.48 billion last year. Yahoo, which is no longer publicly traded, neither admitted nor denied the allegations but did agree to refrain from further violations of securities laws.
Personal data was stolen from hundreds of millions of Yahoo users in the December 2014 breach attributed to Russian hackers. The SEC alleged that, although Yahoo senior managers and attorneys were told about the breach, the company failed to fully investigate. The breach wasn’t disclosed to the investing public until more than two years later, when Yahoo was working on closing Verizon’s acquisition of its operating business in 2016, the SEC said.
“Yahoo’s failure to have controls and procedures in place to assess its cyber disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” Jina Choi, director of the SEC’s San Francisco regional office, said in a statement.
Altaba spokesman Mike Pascale said the New York company declined to comment on the SEC settlement.
Sen. Mark Warner, D-Va., who urged the SEC in September 2016 to investigate whether Yahoo met its obligation to inform the public, said Tuesday that the company’s failure to do so “didn’t pass the smell test.”
“Holding the company accountable is important, and I hope others will learn you can’t sweep this kind of thing under the rug,” Warner, a member of the Senate Banking Committee, said in a tweet.
Sunnyvale, California-based Yahoo eventually acknowledged that the 2014 hacking attack and a separate one in 2013 affected all 3 billion accounts on its service.
Yahoo ended up having to give Verizon a $350 million discount on their deal, reflecting concerns that people might reduce their use of Yahoo email and other digital services because of the breach, decreasing opportunities to show ads.
In scooping up Yahoo’s digital services, Verizon’s strategy was to meld the operations with its AOL division with an eye to becoming a bigger player in the growing market for digital ads.
Yahoo’s most valuable parts — investments in China’s e-commerce leader Alibaba, and in Yahoo Japan — were left in Altaba. Yahoo CEO Marissa Mayer, a former Google executive who led Yahoo for nearly five years, did not join Verizon and was out of a job.
Prosecutors have said that two Russian intelligence agents, Dmitry Dokuchaev and Igor Sushchin, used information they stole from Yahoo to spy on Russian journalists, U.S. and Russian government officials and employees of financial services and other private businesses. In February 2017, they filed computer fraud and other charges against Dokuchaev, Sushchin and two other men — another Russian national, Alexsey Belan, and a Canadian named Karim Baratov.
A U.S. judge in San Francisco on Tuesday pushed back a sentencing hearing for Baratov, who prosecutors say was hired by Dokuchaev to breach at least 80 email accounts obtained from the massive Yahoo hack. Baratov pleaded guilty in November to one count of conspiracy to commit computer fraud and abuse and eight counts of aggravated identity theft.
Judge Vince Chhabria questioned whether the sentence of seven years and 10 months that prosecutors were seeking for Baratov was longer than what other hackers had received for similar crimes.
Baratov’s attorneys have called for a sentence of three years and nine months.
Chhabria stressed that Baratov was not behind the Yahoo hack. He continued the sentencing hearing to May 29.
Authorities have described Baratov as an “international hacker-for-hire” who hacked more than 11,000 webmail accounts from around 2010 until his March 2017 arrest and used the money he made — roughly $1.1 million at about $100 per hacking victim — to finance a $650,000 home and fancy cars, including a Lamborghini and Aston Martin.
Associated Press writer Sudhin Thanawala in San Francisco contributed to this report.