Agreed, the $35 million penalty was to settle charges that Yahoo "misled investors by failing to disclose one of the world’s largest data breaches".

The breach occurred on Dec 14th 2014 and it wasn't disclosed until 2016 during the acquisition by Verizon.

Taken from the sec's site:

" Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. . Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure."

https://www.sec.gov/news/press-release/2018-71

The word undisclosed in the title is doing the work you're asking it to, as far as I can tell. How would you choose to word it differently?

It says “for adjective adjective cyber theft”, which implies the undisclosed is just modifiyig the object they were fined for. GP is not alone in their confusion, top comment right now is talking about how it’s a slap on the wrist _for the breach_ (and not for the lack of disclosure).

A better title would be “SEC Penalizes Yahoo for Failure to disclose Massive security breach”

Then failure to disclose is the object

Makes sense. Thanks for the alternate read.

Not it isn’t. “Undisclosed” is an adjective. The title says that the SEC penalized Yahoo for a “cyber theft” that was “massive” and “undisclosed.”

“SEC Penalizes Yahoo $35M for Non-Disclosure of Massive Cyber Theft” would be better.