Yahoo's information security team found out that Russian hackers had made off with personal data days after the December 2014 breach. The thieves made off with usernames, email addresses, phone numbers, birthdates, encrypted passwords and security questions, according to the SEC's order. Despite having that information, Yahoo's senior management didn't properly investigate the incident or disclose it to investors and affected users. In fact, the breach was only made public two years later when the corporation was in the process of closing an acquisition deal with Verizon.
But Yahoo wasn't primarily fined for misleading affected users, however -- it's for the two years of quarterly and annual reports the company filed that didn't confess the breach or its business and legal implications. Yahoo even hid the incident from auditors and outside counsel that would have told the company whether it was obligated to include the intrusion in its filings to begin with. Whatever the case, this settlement closes the door on one of the largest consumer data breaches in history.