Hacker News new | comments | ask | show | jobs | submit login
SEC Penalizes Yahoo $35M for Massive, Undisclosed Cyber Theft (jdsupra.com)
195 points by velmu 9 months ago | hide | past | web | favorite | 48 comments

In 2015 I was targeted by scammers who claimed to be from Microsoft and said that I had a virus on my Dell computer. Another graduate student had originally registered the computer with Dell technical support. When the hard drive failed I updated the phone number, but I had overlooked updating the name in the contact info. When the scammers called me they addressed me by the name of the other grad student. I tried to report this breach to Dell at the time, but I didn't get anywhere. Seeing this news reminded me of the incident and I searched to see if Dell had disclosed the breach. I found a few articles from early 2016 where others were reporting similar experiences but Dell was not admitting at that time that they had experienced a breach [1-3]. In May 2016 Dell still claimed that they had "no indication that customer information used in the scams has been obtained through an external attack" [4]. Does anyone know if they ever admitted to the breach? They ought to be sanctioned as well if they failed to disclose.

[1] https://krebsonsecurity.com/2016/02/dell-to-customers-report...

[2] https://www.cio.com/article/3020733/security/scammers-target...

[3] https://arstechnica.com/information-technology/2016/01/lates...

[4] https://blog.dell.com/en-us/dell-phone-tech-support-scams/

I found a couple Hacker News threads related to this breach [1,2]. Did anyone end up reporting it to the FTC? I just filed a tip with the SEC. Curious to see if they follow up.

[1] https://news.ycombinator.com/item?id=10841385

[2] https://news.ycombinator.com/item?id=9881674

Somebody got my information from somewhere - I have no clue, and tried to target me with the Microsoft Support scam. It was hilarious, and I wrote about my own experience[1], but I do wonder how many unsuspecting folks fall prey to it. :(

[1] https://www.technorms.com/60343/avoid-phone-scam-windows-mic...

They're possibly telling the truth. Maybe they weren't breached. They may have just sold their customer list to to one of their "marketing partners" who was either breached or are the crooked actors themselves.

Hundreds of millions of users had their data stolen. Putting this fine at less than a dollar per user. Is that really what our private information and security is worth? Who cares if they're being fined when it's a slap on the wrist. To all those talking about billion dollar fines on Facebook: fat chance.

I mean, the crime here isn’t against users, it’s against investors right? That’s why the SEC involved. I don’t even know who enforces the meager consumer privacy protections we have these days.

> I don’t even know who enforces the meager consumer privacy protections we have these days.

Based on the fact that the ISPs lobbied to be able to sell browsing history... I don't think any government agency truly enforces consumer privacy protection.

FB's case is different. I think the term for FB's case is private data abuse rather than leak. Cambridge Analytica took the data through API just like every other app doing at the time, but violated the terms of use. FB is guilty because it designed the wrong way (no excuse) to share the information (still under consent). For example, banks share your personal info around all the time (say promo mails). For Yahoo, that's ... poor technology & management.

you're making the case that Facebook was negligent and Yahoo wasn't. I don't think that's true because Yahoo kept the hack a secret from auditors and users for 3 years.

Considering there was a foreign state agent involved in the hack, we should consider the possibility that Yahoo could not disclose the hack even if they wanted to.

As this is the SEC, making a fine on behalf of investors, it reflects the impact to investors. That being, that unfortunately most users continue to use platforms in spite of serious security and/or privacy concerns. Combined with weak consumer protection, this makes the consequences for the company fairly minor.

To be fair that's SEC, they deal with investor issues.

Not that FTC will hurt them more given their past penalties but...

IMO, the penalty should be xx% of their revenue. Customer data is sacred; unless you can secure it, don't ask for it.

Most users will give away their personal data for a discount of less than a dollar, sometimes even for free. So yeah, the market rate for our personal information is very low per person.

A dollar is generous. The value of any individual user’s data is far simpler: worthless.

So about a $1 fine for every 100 accounts exposed [1]. Also the entire sum is less than what Marissa Mayer got every year in salary [2], as we well as a small fraction of what she got as compensation for selling Yahoo to Verizon [3].

[1] http://money.cnn.com/2017/10/03/technology/business/yahoo-br...

[2] https://www.nytimes.com/2017/06/03/technology/yahoo-marissa-...

[3] http://www.latimes.com/business/technology/la-fi-tn-yahoo-sn...

The headline is rather misleading — the SEC penalized Yahoo for not disclosing the breach to investors, not for the breach itself.

Agreed, the $35 million penalty was to settle charges that Yahoo "misled investors by failing to disclose one of the world’s largest data breaches".

The breach occurred on Dec 14th 2014 and it wasn't disclosed until 2016 during the acquisition by Verizon.

Taken from the sec's site:

" Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. . Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure."


The word undisclosed in the title is doing the work you're asking it to, as far as I can tell. How would you choose to word it differently?

It says “for adjective adjective cyber theft”, which implies the undisclosed is just modifiyig the object they were fined for. GP is not alone in their confusion, top comment right now is talking about how it’s a slap on the wrist _for the breach_ (and not for the lack of disclosure).

A better title would be “SEC Penalizes Yahoo for Failure to disclose Massive security breach”

Then failure to disclose is the object

Makes sense. Thanks for the alternate read.

Not it isn’t. “Undisclosed” is an adjective. The title says that the SEC penalized Yahoo for a “cyber theft” that was “massive” and “undisclosed.”

“SEC Penalizes Yahoo $35M for Non-Disclosure of Massive Cyber Theft” would be better.

Wow, I can't believe Marissa Mayer got away with all this, pocketing a nice lump sum and while still being portrayed as some heroic female icon. I paid a lot for her incompetence - Hackers took control of my bank accounts and I wasn't able to login into my net banking without visiting my nearest branch. I know I wasn't the only one. Fuck Yahoo. Fuck Mayer.

Since it's the SEC, I'm assuming it's some fine for defrauding in the sale process to Verizon. So who's paying the fine?

UPDATE: Seems like it's Altaba that's paying the fine.

I am looking forward to GDPR. At least then companies cannot delay disclosure anymore.

So we have a management team, many of who could have blown the whistle on this. They act like scum. They suffer no personal penalty under law.

Wow we must have a sophisticated, moral civilisation here.

Does this kind of stuff damage CEO's reputation in the job market? I'm trying to grasp what was at stake that made the executive(s) withhold publicizing the breach...

Not to get too cynical, but... it shows loyalty. A CEO that presided over a security breach, kept it as quiet as possible, and only cost the company $35MM. Like it or not, his job is to protect the company, not the users.

Compared to, say, Zuckerberg or Equifax's public raking over the coals.

>A CEO that presided over a security breach, kept it as quiet as possible, and only cost the company $35MM. Like it or not, his job is to protect the company, not the users.

Sorry to be pedantic but it'd be 'her job', in this case - Marissa Mayer was CEO at the time.

I wasn't sure which to say. Marissa was CEO at the time of the breach, and Tim Armstrong is CEO now.

She testified and took a lot of the blame, whereas the fine happened under Tim Armstrong. I figured I'd go with the latter since that's when the fine came down, but I think both deserve credit (good or bad).

'they' is a useful gender-agnostic singular pronoun when you're not sure. https://en.wikipedia.org/wiki/Singular_they

English is not my first language, so forgive my asking, but isn’t that sort of uncomfortable to use? Looking at the examples given, they’re all PA announcements or something similarly detatched. It also seems easy to confuse with the plural. What’s the point of decreasing the clarity and utility of language for the sake of a percent of a percent who might be bothered?

English is my first language, and I think it sounds fine:

> A CEO ... . Like it or not, their job is to protect the company, not the users.

It wouldn't sound as correct if the subject was a specific person. In that case the gender-specific pronoun would be better.

> Marissa Mayer, as CEO ... . Like it or not, her job is to protect the company, not the users.

Even so, use of 'their' in the latter example would still be acceptable, if a little odd, because it's referring more to the role than the person (I think).

[edit] for what it's worth, I think you're overwhelming underestimating the percentage of people who think more gender-inclusive language is a useful thing.

That said, I didn't suggest the option because I was trying to make that point, I suggested it because the parent was dealing with a situation (unsure of gender of the CEO) where use of the singular they is really effective.

It's commonly used, at least in the UK, in informal speech even where the intent isn't to be gender-neutral, so it doesn't feel uncomfortable to use at all.

Yes, singular "they" is confusing and incorrect. "He" is gender neutral in that context.

Might I suggest you consult with professional linguists and grammarians on this topic? They will soon disabuse you of this prescriptivist nonsense about 'singular they'.

Language has always changed with time. The singular they is very well accepted today and has been for decades in most English speaking cultures. I find it interesting that some people seem to find it necessary to defend the older forms - not sure what purpose that serves.

No, it isn't. Gender neutral / non-binary people exist, and "he" is not the correct term.

They exist and should be respected, but represent a tiny minority. Changing pronouns for everyone to please that fraction of the population seems silly unless you’re addressing that fraction.

No? "They" is not incorrect nor is it even confusing to understand at all?

Tim Armstrong is not associated with Altaba in any form, so the fine did not happen under him.

It could potentially cost far more- the $35MM is just the SEC fine, they could still be subject to other actions by differing agencies. Whether that can or will actually happen? Who knows..

but in any case, yahoo is already effectively dead, so this is pretty meaningless imho


The CEO of Yahoo at the time of the fine is a male.

Who is the current CEO of Altaba ?

$35M is peanuts.. this is how scam works in the valley.

I wonder if this is related to their recent TOS change that requires arbitration and prohibits class action lawsuits.

What is this site? Have they any reputation? I ask because they say - somewhat illiterately:-

“While those factors may caution the public, many wonder if anyone reads what is often viewed as nothing but legalize”.

I assume they mean “legalese”.

how much has Equifax paid in fines, to date?

How do they even define these "breaches" as single discrete events? Can you even imagine the amount of data Yahoo has leaked over the past 20 years?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact