Did Yahoo Wait Too Long To Disclose Massive 2014 Data Breach? SEC Investigating

Image courtesy of Yahoo

Yahoo, the online company that hosted your email in 2001, was the victim of two huge account breaches in 2013 and 2014, but didn’t tell customers or investors until last year. Now the Securities and Exchange Commission is one of the government entities investigating the breach, to find out whether Yahoo kept the info from its investors for too long.

The breach has had far-reaching consequences for Yahoo, including jeopardizing its planned acquisition by Verizon or at least affecting the price.

This is part of a larger question for the SEC spanning breaches of other public companies, though.

A 2012 investigation by Reuters showed that companies were delaying reporting data breaches, keeping important information from investors and prospective investors, not to mention their customers. Yahoo reportedly knew about the breach and had identified the culprit as early as 2014, noting that “The Company had identified that a state-sponsored actor had access to the Company’s network in late 2014.”

Why did Yahoo take two years to tell the public and its investors about the smaller breach, and three years to admit the larger one? The company hasn’t provided a reason, but the lengthy delay and clear evidence that someone in the company was aware of the successful attacks close to the time that it happened mean that the SEC could use Yahoo as its first case.

The agency has brought cases against companies for permitting data breaches to happen to their customers. Yahoo’s case is unusual, though, because of the unprecedented size (1.5 billion accounts) and how announcing the incident affected the company’s stock price and its prospects for having its core online services business acquired by Verizon.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.