This is the first time that a public company gets fined by regulators for failure to properly investigate their 2014 data breach, and disclose it to shareholders.
Technically this is not Yahoo anymore, but their new owner Altaba, and the Wall Street Journal just reported that "The Securities and Exchange Commission said Tuesday that Altaba Inc., formerly Yahoo, failed to properly investigate the breach and consider whether it should be disclosed to shareholders."
"The SEC said the company knew within days of the breach that Russian hackers had obtained usernames, phone numbers, birth dates, encrypted passwords, and security questions and answers for at least hundreds of millions of users, and perhaps billions. Yet Yahoo didn’t disclose the hack until 2016."
For almost two years Yahoo continued to publish generic investor disclosures about the risk of being hacked when it knew that it had already been a victim of a significant breach.
“The allegations in the complaint illustrate a complete corporate failure to disclose a data breach that was widely known and readily available in the company,” said Steven Peikin, co-director of the SEC’s enforcement division.
In late February 2018, the SEC released an interpretation of their current guidance on public company cyber disclosures. (When the SEC releases an interpretation of their own SEC staff guidance, this means they expect companies to follow their new interpretation, even though the official requirements did not change).
This publication (PDF) by Deloitte summarizes the SEC's views on how the existing rules should now be interpreted and provides a comparison to the original 2011 cybersecurity related disclosure requirements.
The Justice Department last year announced the indictments of two officers of Russia’s FSB (the successor of the KGB) for their roles in masterminding the hack, which penetrated accounts belonging to U.S. military officials and employees of firms in the banking, finance and transportation sectors.
Here's how the FBI says they did it:
The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened. Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.
So now that it's clear you just have to train your users ASAP, why choose KnowBe4?
OK, let's list the 5 reasons why KnowBe4 is the complete no-brainer option—after casually mentioning we are the fastest growing vendor in this field and have 17,000+ customers, more than all our competitors combined:
- KnowBe4 was recognized by Gartner as a Leader in the Magic Quadrant
- Goldman Sachs recently invested $30M of Series B funding in KnowBe4 because they believe in our mission
- The KnowBe4 platform was built from the ground up for IT pros that have 16 other fires to put out
- The KnowBe4 ModStore has the world's largest choice in fresh awareness training content
- Pricing is surprisingly affordable, and gives you a 127% ROI with a one-month payback
- BONUS: It's actually a lot of fun to phish your users and get the conversation started!
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP because your filters have an average 10.5% failure rate. Get a quote now and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
Let's stay safe out there.
Founder and CEO, KnowBe4, Inc