Yahoo has agreed to pay $50 million in damages over the biggest security breach in history.
According to the Washington Post, the company will also provide two years of free credit-monitoring services to 200 million people whose email address and other personal data were stolen during the hack. The settlement still needs federal court approval.
The fine announcement comes a few months after the Securities and Exchange Commission (SEC) revealed that Altaba, the entity formerly known as Yahoo, had agreed to pay a $35 million penalty to settle charges related to the data breach.
Altaba agreed to pay the fine to settle charges that it misled investors by failing to announce the data breach. Within days of the hack in December 2014, the SEC said Yahoo’s IT team learned that Russian hackers infiltrated the company and stole usernames, email addresses, phone numbers, security questions and encrypted passwords, among other sensitive data.
However, although the Yahoo executive team was alerted to the breach, the SEC found Yahoo failed to investigate it properly and to consider whether or not investors should be notified. The breach wasn’t disclosed to investors until 2016, when Yahoo was closing its deal to sell its internet assets to Verizon Communications.
And in May, Karim Baratov, a Canadian that was charged with hacking Yahoo‘s email for the Russians, was sentenced to 60 months.
Verizon will pay for one half of the $50 million settlement cost, with the other half paid by Altaba.
Some experts have maintained that damages caused by security breaches can range from $1 to $8 per account, which means that this breach could have cost Yahoo more than $1 billion if it had lost the case. Yahoo, however, disputed those estimates, claiming that many of its account holders gave false information about their birthdates, names and other personal information when they set up their email accounts.