SEC launches Yahoo investigation over improper handling of cyberattacks

The agency is looking into whether the tech company waited too long to tell investors of the breaches.

CREDIT: AP Photo/Michael Probst, File
CREDIT: AP Photo/Michael Probst, File

After unveiling a newer, smaller corporate identity following the sale of most of its holdings to Verizon, Yahoo is facing a federal probe for how it handled its massive data breaches, the Wall Street Journal reported.

The Securities and Exchange Commission (SEC) is investigating Yahoo to determine whether the company kept investors in the dark regarding its two mega-breaches that exposed more than a billion consumers’ data in two major breaches since 2013.

Yahoo previously mentioned it was cooperating with international, state, and federal agencies regarding the 2014 breach, including the Federal Trade Commission and SEC, the Journal reported.

The investigation will likely focus on the 2014 hack, which wasn’t publicly disclosed for two years. Even in the face of mounting criticism, Yahoo hasn’t given any reason for their failure to disclose the breach sooner, an incident that could affect the company’s sale to Verizon.

The SEC’s investigation may not yield any formal action, but it renews the spotlight on how companies handle data breaches. Public and government interest in breaches surged following the exposure of more than 70 million Target customers’ payment information in 2013, and again following 2014’s Sony state-sponsored hack, which was attributed to North Korea.


Data breaches are a costly headache for businesses. But even as they become more common, companies aren’t held to uniform standards of protocol when data is exposed or stolen.

Following the Target breach, the Obama administration began taking steps to prevent the next attack. But legislative attempts mandating breach notification have failed. The Personal Data and Notification Act, which would require companies to notify the public of data breaches within 30 days of discovery, was introduced in 2015. Had it made it passed the House subcommittee review, the law would’ve carried a fine penalty of up to a $1,000 per day per person affected. The law also would’ve superseded the 47 state laws (and the District of Columbia), which have varying standards of when notification has to be made and what types of information breach qualifies.

The Yahoo investigation is significant because of the vast extent of the breaches and the lag in public notification. But unless there’s renewed Congressional interest, there’s no guarantee of a legislative solution that prioritizes breach notification.