Yahoo's cybersecurity failures continue to haunt the company -- now to the tune of $35 million.
The US Securities and Exchange Commission said Tuesday that Altaba, the company, has agreed to pay a penalty of that amount to settle charges that Yahoo failed to disclose a massive data breach from December 2014.
That breach, a state-sponsored attack, affectedand was considered the largest data breach in history until Yahoo announced that had been hit in a separate, 2013 hack.
In the 2014 breach, Russian hackers stole data including phone numbers, passwords, birth dates and email addresses. The cyberattack didn't become public knowledge until 2016, when Yahoo announced it in a press release.
"Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," Jina Choi, director of the SEC's San Francisco regional office, said in a statement.
Altaba declined to comment.
Disclosing breaches to the public in a timely manner is important, for both investors and the people using the platform. It ensures that people can take precautions with their digital lives before it's too late. But companies have been slow to announce these hacks.
Multiple tech companies have faced scandals over being tardy to disclose a breach. In March, the Pennsylvania attorney general slammed Uber for. Facebook has been criticized for its Cambridge Analytica -- though no breach was involved -- because the social network took up to two years to notify the public after it learned about the issue, in 2015.
"I've been saying for years that Yahoo's failures to notify customers and investors about its massive data breach didn't pass the smell test," Sen. Mark Warner, a Democrat from Virginia, said in a statement. "Holding the company accountable is important, and I hope others will learn you can't sweep this kind of thing under the rug."
The SEC launched its, arguing that Yahoo misled investors by keeping quiet about its breaches. The revelations came as Yahoo was attempting to close a $4.83 billion acquisition deal from Verizon. The cybersecurity shortcomings led Verizon to knock and insist that the companies split legal and financial responsibilities related to the hack.
In a, Yahoo admitted that some of its employees were aware of the 2014 breach but failed to disclose it.
The Justice Department has indicted the, though the attackers behind the 2013 breach are still unknown. Marissa Mayer, Yahoo's CEO during the breaches, , but she didn't explain why it took so long to announce the attack.
First published 9:35 a.m. PT
Updates, 9:47 a.m.: Includes details on breach disclosures; 10:02 a.m.: Adds statements from Sen. Mark Warner and Altaba.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Follow the Money: This is how digital cash is changing the way we save, shop and work.