Yahoo's cybersecurity failures continue to haunt the company -- now to the tune of $35 million.
The US Securities and Exchange Commission said Tuesday that Altaba, the company formed from the ashes of Yahoo's sale to Verizon, has agreed to pay a penalty of that amount to settle charges that Yahoo failed to disclose a massive data breach from December 2014.
In the 2014 breach, Russian hackers stole data including phone numbers, passwords, birth dates and email addresses. The cyberattack didn't become public knowledge until 2016, when Yahoo announced it in a press release.
Watch this: All Yahoo users affected by largest hack in history
"Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach," Jina Choi, director of the SEC's San Francisco regional office, said in a statement.
Altaba declined to comment.
Disclosing breaches to the public in a timely manner is important, for both investors and the people using the platform. It ensures that people can take precautions with their digital lives before it's too late. But companies have been slow to announce these hacks.
Multiple tech companies have faced scandals over being tardy to disclose a breach. In March, the Pennsylvania attorney general slammed Uber for waiting more than a year to reveal a breach. Facebook has been criticized for its Cambridge Analytica data scandal -- though no breach was involved -- because the social network took up to two years to notify the public after it learned about the issue, in 2015.
"I've been saying for years that Yahoo's failures to notify customers and investors about its massive data breach didn't pass the smell test," Sen. Mark Warner, a Democrat from Virginia, said in a statement. "Holding the company accountable is important, and I hope others will learn you can't sweep this kind of thing under the rug."
The SEC launched its investigation in January 2017, arguing that Yahoo misled investors by keeping quiet about its breaches. The revelations came as Yahoo was attempting to close a $4.83 billion acquisition deal from Verizon. The cybersecurity shortcomings led Verizon to knock $350 million off its buying price and insist that the companies split legal and financial responsibilities related to the hack.