Skip to content

Detailed narrative of event

Detailed Narrative of Events

(Extended Documentation for the SEC In the Matter of Altaba Inc., f/k/a Yahoo! Inc. (2018) Case Study)

Table of contents

  1. Overview
  2. 2014 intrusion and internal confirmation
  3. Period without adequate public disclosure (2015–2016)
  4. Public disclosure (September 2016)
  5. SEC investigation and order (April 2018)

Overview

The SEC’s April 24, 2018 administrative order addresses Altaba Inc. (formerly Yahoo! Inc.) and securities law failures connected to a 2014 cybersecurity intrusion affecting hundreds of millions of user accounts. The Commission found that Yahoo information security personnel learned of unauthorized access within days of the December 2014 intrusion, yet investors did not receive adequate disclosure in Exchange Act reports for roughly two years. The order imposed a cease-and-desist order and a $35 million civil money penalty; the company neither admitted nor denied the findings.

Primary source: In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., SEC File No. 3-18448 (Apr. 24, 2018).

2014 intrusion and internal confirmation

According to the SEC’s findings, state-sponsored actors stole user database backup files containing names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of user accounts. Yahoo’s information security team confirmed unauthorized access within days of the December 2014 intrusion.

Period without adequate public disclosure (2015–2016)

The SEC found that over the next two years, Yahoo filed multiple annual and quarterly reports that did not disclose the breach. Those filings included generic cyber risk disclosure rather than disclosure that a major breach had already occurred. The order further describes deficiencies in disclosure controls and procedures, including that Yahoo did not adequately inform auditors or outside counsel to assess disclosure obligations in light of the known breach.

Public disclosure (September 2016)

Yahoo publicly disclosed the 2014 incident in September 2016, in connection with events including M&A activity (as described in the order and public reporting). The lag between internal confirmation and public disclosure became a central enforcement theme.

SEC investigation and order (April 2018)

The SEC instituted administrative proceedings and, on April 24, 2018, issued the cease-and-desist order and penalty described above. The matter illustrates how cybersecurity facts intersect with securities disclosure controls, auditor communication, and management reporting lines—not merely technical IR containment.

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM