
SEC Penalizes Yahoo $35M for Massive, Undisclosed Cyber Theft - velmu
https://www.jdsupra.com/legalnews/sec-penalizes-yahoo-35-million-for-20427/
======
eksabajt
In 2015 I was targeted by scammers who claimed to be from Microsoft and said
that I had a virus on my Dell computer. Another graduate student had
originally registered the computer with Dell technical support. When the hard
drive failed I updated the phone number, but I had overlooked updating the
name in the contact info. When the scammers called me they addressed me by the
name of the other grad student. I tried to report this breach to Dell at the
time, but I didn't get anywhere. Seeing this news reminded me of the incident
and I searched to see if Dell had disclosed the breach. I found a few articles
from early 2016 where others were reporting similar experiences but Dell was
not admitting at that time that they had experienced a breach [1-3]. In May
2016 Dell still claimed that they had "no indication that customer information
used in the scams has been obtained through an external attack" [4]. Does
anyone know if they ever admitted to the breach? They ought to be sanctioned
as well if they failed to disclose.

[1] [https://krebsonsecurity.com/2016/02/dell-to-customers-
report...](https://krebsonsecurity.com/2016/02/dell-to-customers-report-
service-tag-scams/)

[2] [https://www.cio.com/article/3020733/security/scammers-
target...](https://www.cio.com/article/3020733/security/scammers-target-dell-
customers-after-apparent-data-breach.html)

[3] [https://arstechnica.com/information-
technology/2016/01/lates...](https://arstechnica.com/information-
technology/2016/01/latest-tech-support-scam-stokes-concerns-dell-customer-
data-was-breached/?comments=1)

[4] [https://blog.dell.com/en-us/dell-phone-tech-support-
scams/](https://blog.dell.com/en-us/dell-phone-tech-support-scams/)

~~~
eksabajt
I found a couple Hacker News threads related to this breach [1,2]. Did anyone
end up reporting it to the FTC? I just filed a tip with the SEC. Curious to
see if they follow up.

[1]
[https://news.ycombinator.com/item?id=10841385](https://news.ycombinator.com/item?id=10841385)

[2]
[https://news.ycombinator.com/item?id=9881674](https://news.ycombinator.com/item?id=9881674)

------
deft
Hundreds of millions of users had their data stolen. Putting this fine at less
than a dollar per user. Is that really what our private information and
security is worth? Who cares if they're being fined when it's a slap on the
wrist. To all those talking about billion dollar fines on Facebook: fat
chance.

~~~
mattnewton
I mean, the crime here isn’t against users, it’s against investors right?
That’s why the SEC involved. I don’t even know who enforces the meager
consumer privacy protections we have these days.

~~~
milkytron
> I don’t even know who enforces the meager consumer privacy protections we
> have these days.

Based on the fact that the ISPs lobbied to be able to sell browsing history...
I don't think any government agency truly enforces consumer privacy
protection.

------
mtgx
So about a $1 fine for every 100 accounts exposed [1]. Also the entire sum is
less than what Marissa Mayer got every year in salary [2], as we well as a
small fraction of what she got as compensation for selling Yahoo to Verizon
[3].

[1] [http://money.cnn.com/2017/10/03/technology/business/yahoo-
br...](http://money.cnn.com/2017/10/03/technology/business/yahoo-
breach-3-billion-accounts/index.html)

[2] [https://www.nytimes.com/2017/06/03/technology/yahoo-
marissa-...](https://www.nytimes.com/2017/06/03/technology/yahoo-marissa-
mayer-compensation.html)

[3] [http://www.latimes.com/business/technology/la-fi-tn-yahoo-
sn...](http://www.latimes.com/business/technology/la-fi-tn-yahoo-
snap-20170425-story.html)

------
wrs
The headline is rather misleading — the SEC penalized Yahoo for _not
disclosing_ the breach to investors, not for the breach itself.

~~~
grzm
The word _undisclosed_ in the title is doing the work you're asking it to, as
far as I can tell. How would you choose to word it differently?

~~~
mattnewton
It says “for adjective adjective cyber theft”, which implies the undisclosed
is just modifiyig the object they were fined for. GP is not alone in their
confusion, top comment right now is talking about how it’s a slap on the wrist
_for the breach_ (and not for the lack of disclosure).

A better title would be “SEC Penalizes Yahoo for Failure to disclose Massive
security breach”

Then failure to disclose is the object

~~~
grzm
Makes sense. Thanks for the alternate read.

------
neya
Wow, I can't believe Marissa Mayer got away with all this, pocketing a nice
lump sum and while still being portrayed as some heroic female icon. I paid a
lot for her incompetence - Hackers took control of my bank accounts and I
wasn't able to login into my net banking without visiting my nearest branch. I
know I wasn't the only one. Fuck Yahoo. Fuck Mayer.

------
chrischen
Since it's the SEC, I'm assuming it's some fine for defrauding in the sale
process to Verizon. So who's paying the fine?

UPDATE: Seems like it's Altaba that's paying the fine.

------
jeltz
I am looking forward to GDPR. At least then companies cannot delay disclosure
anymore.

------
MikeGale
So we have a management team, many of who could have blown the whistle on
this. They act like scum. They suffer no personal penalty under law.

Wow we must have a sophisticated, moral civilisation here.

------
forkerenok
Does this kind of stuff damage CEO's reputation in the job market? I'm trying
to grasp what was at stake that made the executive(s) withhold publicizing the
breach...

~~~
gkoberger
Not to get too cynical, but... it shows loyalty. A CEO that presided over a
security breach, kept it as quiet as possible, and only cost the company
$35MM. Like it or not, his job is to protect the company, not the users.

Compared to, say, Zuckerberg or Equifax's public raking over the coals.

~~~
leggomylibro
>A CEO that presided over a security breach, kept it as quiet as possible, and
only cost the company $35MM. Like it or not, his job is to protect the
company, not the users.

Sorry to be pedantic but it'd be 'her job', in this case - Marissa Mayer was
CEO at the time.

~~~
gkoberger
I wasn't sure which to say. Marissa was CEO at the time of the breach, and Tim
Armstrong is CEO now.

She testified and took a lot of the blame, whereas the fine happened under Tim
Armstrong. I figured I'd go with the latter since that's when the fine came
down, but I think both deserve credit (good or bad).

~~~
allannienhuis
'they' is a useful gender-agnostic singular pronoun when you're not sure.
[https://en.wikipedia.org/wiki/Singular_they](https://en.wikipedia.org/wiki/Singular_they)

~~~
DmenshunlAnlsis
English is not my first language, so forgive my asking, but isn’t that sort of
uncomfortable to use? Looking at the examples given, they’re all PA
announcements or something similarly detatched. It also seems easy to confuse
with the plural. What’s the point of decreasing the clarity and utility of
language for the sake of a percent of a percent who might be bothered?

~~~
ams6110
Yes, singular "they" is confusing and incorrect. "He" is gender neutral in
that context.

~~~
zimpenfish
Might I suggest you consult with professional linguists and grammarians on
this topic? They will soon disabuse you of this prescriptivist nonsense about
'singular they'.

------
node-bayarea
$35M is peanuts.. this is how scam works in the valley.

------
crystaln
I wonder if this is related to their recent TOS change that requires
arbitration and prohibits class action lawsuits.

------
saaaaaam
What is this site? Have they any reputation? I ask because they say - somewhat
illiterately:-

“While those factors may caution the public, many wonder if anyone reads what
is often viewed as nothing but legalize”.

I assume they mean “legalese”.

------
Dowwie
how much has Equifax paid in fines, to date?

------
aphextron
How do they even define these "breaches" as single discrete events? Can you
even imagine the amount of data Yahoo has leaked over the past 20 years?

