In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc. (2018) — SEC Cybersecurity Disclosure¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
The Securities and Exchange Commission charged Yahoo! Inc. (later Altaba Inc.) with misleading investors by failing to disclose a 2014 data breach affecting hundreds of millions of user accounts. According to the SEC’s April 24, 2018 order, Yahoo’s security team learned of the intrusion within days, yet for approximately two years the company’s periodic reports did not disclose the breach and instead described data-breach risk only in generic terms. The Commission found failures of disclosure controls and procedures and imposed a cease-and-desist order and $35 million civil penalty; Yahoo neither admitted nor denied the findings.
Regulatory and Legal Outcomes¶
SEC enforcement¶
Administrative proceeding File No. 3-18448 — In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc. The order finds violations of Securities Act Sections 17(a)(2) and (3) and Exchange Act Section 13(a) and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 (including disclosure controls). Remedies include cease-and-desist and a civil money penalty.
Legal theory (high level)¶
- Material omission: Failure to disclose a known, large-scale breach while filing periodic reports that did not inform investors of that fact.
- Disclosure controls: Inadequate procedures to ensure cybersecurity incident information reached personnel responsible for accurate Exchange Act reporting, including coordination with auditors and outside counsel.
Security Technical Summary¶
Summary¶
The SEC’s findings emphasize governance and disclosure more than a particular exploit chain: a 2014 intrusion led to theft of a user database backup at massive scale. Security identified the incident quickly, but enterprise disclosure processes did not result in timely investor-facing disclosure for an extended period.
Incident flow (as described in public materials)¶
- December 2014 — Intrusion and theft of user database backup files (names, emails, phones, DOB, hashed passwords, security Q&A) affecting hundreds of millions of accounts.
- Within days — Yahoo information security confirms unauthorized access.
- 2015–2016 — Periodic reports continue without disclosure of the specific breach; risk factors describe breach risk in general terms.
- September 2016 — Public disclosure of the 2014 breach.
- April 2018 — SEC order and penalty.
Engineering and process takeaways¶
Incident-to-disclosure workflow
- Define when a confirmed intrusion triggers legal, finance, and disclosure committee review.
- Preserve timelines tying detection, containment, and disclosure decisions.
Materiality and documentation
- Document why incident information was or was not included in filings.
- Align security severity metrics with securities counsel criteria for materiality.
Third-party assurance
- Ensure auditors and outside counsel receive information needed to assess reporting obligations.
Understanding Regulatory and Court Orders¶
Read the originals—the SEC order is the authoritative source. Use Understanding regulatory and court orders to interpret findings and undertakings.
| Document | Date | Source | Key obligation / holding |
|---|---|---|---|
| Order Instituting Cease-and-Desist Proceedings (File No. 3-18448) | Apr. 24, 2018 | SEC | Cease-and-desist; civil penalty; findings on disclosure failures and disclosure controls |
| SEC press release (2018-71) | Apr. 24, 2018 | SEC | Public summary of charges and settlement |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | Security status and disclosure risk after SEC order. | CISO briefs Board Audit Committee after SEC cease-and-desist order (May 2018). |
| Executive Security Risk Summary | Executive view of incident and disclosure risks. | Security Director prepares summary for CEO and CFO on disclosure control gaps. |
| Security Program Status Report | Program metrics and remediation status. | Lead Security Engineer reports IR and escalation process improvements post-order. |
| Strategic Security Initiative Justification | Business case for disclosure-aligned security investments. | CISO seeks funding for incident-to-disclosure workflow tooling. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain controls and escalation to regulators. | CISO drafts narrative on security-to-disclosure escalation for SEC staff (illustrative). |
| Compliance Justification Document | Map controls to disclosure obligations. | Compliance maps disclosure controls to SOC and IR evidence. |
| Controls → Evidence Map | Evidence for disclosure and security controls. | Senior engineer prepares evidence appendix for counsel. |
| Governance Response Memo | Governance response on oversight. | CISO responds to board questions on incident escalation governance. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronology for counsel. | Legal and security align on SEC order timeline. |
| Security Architecture Explanation for Legal Review | Technical context for investigations. | Engineer explains logging and detection for disclosure support. |
| Risk Register | Material risks post-order. | Security Director maintains register including disclosure risk. |
| Security Decision Documentation | Document major decisions. | Document rationale for incident classification vs. disclosure trigger. |
| Policy and governance | ||
| Security Policy Draft | Policy updates. | Director drafts policy for incident escalation to legal. |
| Security Governance Memo | Roles and escalation. | CISO clarifies RACI for disclosure committee inputs. |
| Security Program Justification | Program scope and resources. | CISO justifies disclosure-controls alignment program. |
| Internal Security Directive | Mandatory internal requirements. | CISO mandates reporting line for confirmed intrusions. |
| Public communication | ||
| Security Public Statement | External statement drafting. | CISO drafts coordinated disclosure language (illustrative). |
| Customer Security Explanation | Customer-facing explanation. | Security lead drafts customer FAQ on incident history (illustrative). |
| Security Transparency Report Section | Transparency reporting. | CISO drafts transparency section on incident response and disclosure process. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | 48-hour evidence readiness. | Team assembles disclosure-control evidence. |
| Implementation Checklist | Phased remediation. | Program owner executes 0–90 day disclosure-alignment plan. |
| Understanding Regulatory and Court Orders | Interpret the SEC order. | Counsel and CISO walk through order sections. |
Facts and Timeline¶
- December 2014 — Intrusion affecting user account data at massive scale (per SEC order).
- Within days of intrusion — Yahoo information security confirms unauthorized access (per SEC order).
- 2015–2016 — Periodic Exchange Act filings do not disclose the specific breach; generic cyber risk disclosure continues (per SEC order).
- September 2016 — Public disclosure of the 2014 breach.
- April 24, 2018 — SEC issues cease-and-desist order and $35 million civil penalty; neither admit nor deny.
References¶
Primary (official documents)
- SEC Order — In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., File No. 3-18448 (Apr. 24, 2018). PDF
- EDGAR exhibit — Exhibit 99.1 (HTML)
Cited
- U.S. Securities and Exchange Commission. Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, Apr. 24, 2018.
https://www.sec.gov/newsroom/press-releases/2018-71