Altaba, the holding company that houses the remnants of what was once Yahoo, will pay the Securities and Exchange Commission $35 million to settle charges relating to its handling of a massive data breach dating back to 2014.
The SEC said Tuesday that Altaba’s payment will settle allegations that the company, when it was known as Yahoo, failed to disclose to investors its knowledge of the huge 2014 data breach that exposed the personal data of over 500 million users.
Yahoo senior management failed to fully investigate a data breach that Yahoo cyber security staff unearthed days after it occurred in December 2014, the SEC alleged. When Yahoo eventually disclosed the data breach in 2016, the company was in the final stages of being sold to Verizon Communications.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” the SEC’s San Francisco Regional Director Jina Choi said in a statement. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Although Yahoo filed multiple quarterly and annual reports following the 2014 data breach, the company never mentioned it and instead only included warnings about the possible negative impact from a data breach if one or several were to occur, the SEC said.
From the SEC:
Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Get Data Sheet, Fortune’s technology newsletter.
Altaba was officially created in the summer of 2017 when Verizon completed its $4.5 billion purchase of Yahoo’s core internet business. It’s now an investment company, with its two primary investments being Chinese e-commerce giant Alibaba and Yahoo Japan Corp.