When Did Yahoo Know about the 2014 Breach? | eWeek

SEC Filing Indicates Yahoo Might Have Known About Data Breach in 2014

SEC Filing Indicates Yahoo Might Have Known About Data Breach in 2014
Nov 11, 2016
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Yahoo first publicly confirmed on Sept. 22, that it was the victim of a massive data breach in 2014 that impacted over 500 million users. In a new SEC 10-Q filing, Yahoo reported that in fact, it was possible that it was known within Yahoo in 2014 that the company had been hacked.

“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.” the filing states.

Yahoo’s 10-Q also reveals new details on the initial financial impact of the breach. The filing reports that Yahoo recorded expenses of $1 million related to the breach in the quarter ended September 30, 2016.

That said, Yahoo’s breach related expenses may yet rise as the filing also notes that to date, 23 consumer class action lawsuits have been filed against Yahoo in U.S. federal and state courts. The security breach also could potentially have an impact on Yahoo’s pending $4.38 billion acquisition by Verizon.

Security experts contacted by eWEEK had a mixed response to the latest disclosure from Yahoo about the data breach and how look it took for the information to come to light.

Tom Kellermann, CEO of Strategic Cyber Ventures said that he’s not surprised that Yahoo potentially knew about the data breach in 2014, but didn’t make a full public disclosure until 2016.

“This aligns with the corporate culture of plausible deniability,” Kellermann told eWEEK. Yahoo’s brand “is inextricably tied to the trust and confidence her users place in the safety of the IT infrastructure. Disclosing would have resulted in reputational risk.”

In contrast, Brian NeSmith, CEO of Arctic Wolf Networks said that it is inexcusable for Yahoo not to have notified users and the authorities about the breach when they knew about it. He added that hundreds of millions of people trusted Yahoo with their personal and private information and they had a duty to keep that information safe.

Cris Thomas, Strategist at Tenable Network Security also wasn’t surprised that Yahoo potentially knew about its breach years before public disclosure. Thomas, previously better known in the security community as “Space Rogue,” testified before a U.S. Senate Committee on internet security in 1998 while he was a member of the Cambridge, Massachusetts hacker group known as The L0pht.

“While most of the breaches are disclosed eventually, there are often questions as to whether or not the company released the information in a timely manner,” Thomas told eWEEK.

Lessons Learned

While it’s not yet exactly clear in the Yahoo breach incident who knew what and when, there are some lessons that can be learned by other organizations. Thomas commented that it is often difficult for information security professionals to clearly communicate the customer and business risks associated with data breaches.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.