In 2014, Yahoo experienced a breach that exposed the personal information for of approximately 500 million users. However, they refused to inform anyone, and the news did not break until late 2016. For its failure to disclose the said incident and inform the users who were affected, the company that is formerly known as Yahoo! (currently Altaba, consisting of the parts that did not merge with Verizon to become Oath) has agreed to pay a fine amounting $35 million to the SEC.
According to the order of the SEC, the information security team of Yahoo discovered that Russian hackers had made off with personal information days following the breach in December 2014. The thieves made off with email addresses, usernames, birthdates, phone numbers, security questions, and encrypted passwords. Despite being aware of that information, the senior management of Yahoo did not initiate a proper investigation over the incident or disclose the breach to investors and the affected users. In fact, the said breach was only made public after two years when the corporation was already in the process of finalising an acquisition deal with Verizon.
However, Yahoo was not primarily fined for misleading the users who were affected. The fine was imposed for the two years of annual and quarterly reports that the company filed that did not disclose the breach or its legal and business implications. Yahoo even concealed the said incident from outside counsel and auditors that would have informed the company whether it was required to include the said intrusion in its filings, to begin with. Whatever the case, the said settlement closes the door on one of the biggest consumer data breaches that is recorded in history.