The U.S. Securities and Exchange Commission is reportedly looking into whether two data breaches at Yahoo!, Inc. should have been disclosed earlier. In a front page article today, the Wall Street Journal reported that “people familiar with the matter” say the SEC is investigating whether Yahoo!’s disclosures complied with the securities laws.
Last year, in public filings, Yahoo! confirmed that more than 1.5 billion of its users’ personal information was compromised in separate breaches. Yahoo! reported that the two unrelated cyber-attacks occurred in August 2013 and late 2014. Notably, Yahoo! did not disclose the hacks until the fall of 2016, nearly two years after the data breaches occurred. Though Yahoo! has appointed a committee to investigate the 2014 breach, since Yahoo’s September and December data breach announcements, the company has provided the public with little information or detail about the hacks.
Yahoo!’s delayed discovery of the cyber-attacks left customers and eight U.S. Senators wondering why it took the company so long to uncover such massive breaches. In a November 2016 SEC filing, Yahoo disclosed that it was cooperating with the SEC, U.S. Federal Trade Commission and other federal, state and foreign governmental officials and agencies.
We will continue to monitor the SEC’s investigation.