The U.S. Securities and Exchange Commission (SEC) fined Yahoo's new owners, Altaba, $35 million today to settle its record breaking breach.
It is hard to imagine an InfoSec team, company management, and legal staying quiet about something like this. But they did.
Says the SEC: "Within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts."
Jina Choi, Director of the SEC's San Francisco regional office, says: “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Those investors were in the dark for years, and when the news broke in 2016, it cost Yahoo dearly:
"The day after Yahoo publicly disclosed the breach, Yahoo’s market capitalization fell nearly $1.3 billion by virtue of a 3% decrease in its stock price. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25% reduction in price."
And it was an example that Cigna CISO James Beeson shared at a SecureWorld cybersecurity conference. "A breach is no longer just about the cost of detection and response, it can have a major impact on the business, its reputation and its value," he says.
There is no longer any doubt about that.
Read the SEC's take on the $35 million Yahoo fine for yourself for more information.