Yahoo reportedly under investigation by SEC over data breaches

Yahoo is facing an investigation by the U.S. Securities and Exchange Commission relating to its failure to promptly disclose to investors information about the two massive data breaches the company revealed last year.

The Wall Street Journal reports that the SEC requested documents from Yahoo in December to determine whether the company, which is in the midst of a $4.8 billion acquisition by Verizon, properly disclosed details about the cyberattacks and whether it complied with civil securities laws.

The road to closing the acquisition has been anything but smooth for Yahoo. Just two months after the purchase was announced, Yahoo claimed that “state-sponsored” hackers stole data from 500 million user accounts back in 2014. That certainly caught everyone off guard, and there were rumblings that Verizon would either back out or seek a $1 billion discount on the deal.

And if that wasn’t enough, two months after that Yahoo revealed another hack, this time dating as far back as August 2013, when more than 1 billion user accounts were compromised by an “unauthorized third party.” Nearly two months later, we’re now hearing about a probe by the U.S. government. This may lead some to wonder whether the Verizon deal will actually go through.

While the investigation focuses on what wasn’t disclosed to investors, it also probably includes the soon-to-be parent company Verizon, which has said repeatedly after each incident that it will “evaluate the situation as Yahoo continues its investigation.”

The Wall Street Journal says that the investigation is still in its early stages, so any penalties or legal action is still some time away. However, the probe by the SEC is noteworthy, as WSJ indicates the federal agency “has never brought a case against a company for failing to disclose a cyberbreach, given the blurriness of when an issue might be ‘material’.” The publication further notes that it’s unusual because of the scope and timing — sure, there have been numerous cyberattacks in the past year, including those affecting Ashley Madison, Target, Dow Jones, and others, but none have been on this scale and so soon after an acquisition was initiated.

Yahoo referred us to language from its SEC filing where it said it’s cooperating with “federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.”

But it is also interesting to note that the company is revealing its latest financial earnings on Monday. However, it will not hold an earnings call, citing its continued acquisition by Verizon.

Updated as of 8:41 a.m. Pacific on Monday: Corrected that 500 million user accounts were affected, not users.