Did Yahoo take too long to disclose two massive data breaches? The U.S. Securities and Exchange Commission (SEC) is investigating whether the media company complied with civil securities laws, according to a report on Sunday in the Wall Street Journal. In other words, did the Sunnyvale, Calif.-based multinational technology company wait too long to issue its statement about the security incidents.
While Yahoo revealed in a November 2016 Form 10-Q quarterly filing that it was working with regulators, including the SEC, in an investigation into the two incursions, the SEC is now questioning whether the firm should have notified investors earlier, the WSJ reported.
The company came under scrutiny after it was revealed that one massive data breach in September 2014 exposed email credentials of half a billion subscribers. Just a few months later, in December 2014, it was reported that one billion user accounts had been exposed in August 2013.
Prompted by a request in September from Democratic U.S. Senator Mark Warner – who asked whether Yahoo and its executives followed security industry rules in notifying investors, as well as the public, subsequent to the 2014 breach – the SEC requested documents from Yahoo last month.
The SEC probe and negative publicity comes at a time when Yahoo's internet business is an acquisition target for Verizon Communications. The $4.8 billion deal is expected to go through soon as business analysts say thatdespite the negative publicity around the breaches, Yahoo's coveted ad technology comes at a bargain price for Verizon.
Yahoo's stock has declined a mere one percent in the last three months while it posted a gain of 46 percent the past year. Yahoo announces its 2016 results after the closing bell on Monday, while Verizon announces its results on Tuesday.
The SEC investigation highlights the importance of breach response in cyber, Dimitri Sirota, CEO of BigID, told SC Media on Monday. "Just like after Katrina and Sandy, municipalities learned they had to prepare for natural disasters to minimize fallout. Organizations have work to do to better plan and execute breach response, including identifying who inside the organizations was impacted."
George Avetisov, CEO of HYPR Corp., agreed that there was a time when it was difficult for corporations to estimate the financial damage of a large data breach. "Between the Verizon acquisition, a tumbling stock price, and now an SEC probe, Yahoo is living proof that large data breaches can send very quantifiable shockwaves throughout the enterprise," he told SC Media on Monday.
Yahoo has proven that companies must invest generously into their internal security infrastructure, Avetisov said. "The cost of a breach far outweighs the investment in greater security. A massive hack like this can quickly drive the value of a company to zero.”
The Federal Trade Commission, the U.S. Attorneys Office in Manhattan and a number of State Attorneys General, are also looking into the breach proceedings, Yahoo announced in its November filing.