Lawmakers are unhappy with Yahoo’s two-year wait to disclose a breach that compromised the information of an estimated 500 million users.
In a letter to company CEO Marissa Mayer, Sens. Patrick Leahy (D-Vt.), Ed Markey (D-Mass.), Elizabeth Warren (D-Mass.), Ron Wyden (D-Ore.), and Al Franken (D-Minn.) demanded an explanation. “Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information,” the legislators wrote.
Yahoo revealed in late September that, in 2014, hackers may have obtained email addresses, telephone numbers, security questions, birthdates, and encrypted passwords associated with up to 500 million Yahoo accounts. The company’s chief information security officer said Yahoo believes a “state-sponsored actor” bears responsibility for the breach.
While the fact of the breach was troubling, the Senators found the delay in notification even more disturbing. “That means millions of Americans’ data may have been compromised for two years,” the legislators wrote. “This is unacceptable.”
To better understand what went wrong and how Yahoo intends to safeguard data and protect its users in the future, the lawmakers requested answers, beginning with a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities, and when the company notified its customers. Referencing press reports that the breach was not discovered until August of this year—despite taking place in 2014—the Senators asked how such a large intrusion of the company’s systems could have gone undetected.
The letter also sought details on the exact number of users that are affected and what protection Yahoo is providing to those whose identities and personal information have been compromised.
Looking forward, the legislators wondered, “What is Yahoo doing to prevent another breach in the future? Has Yahoo changed its security protocols, and in what manner?” The letter also queried whether anyone in the U.S. government warned Yahoo of a possible hacking attempt and, if so, when the warning was issued.
To read the Senators’ letter to Yahoo, click here.
Why it matters: The letter from the lawmakers is just one piece of the puzzle for Yahoo in the wake of the data breach revelation. Other legislators are suggesting that the company breached its obligations to investors by failing to disclose the breach in a timely fashion. They requested an investigation by the Securities and Exchange Commission. In addition, two other putative class actions have already been filed against Yahoo in California and Illinois federal courts, one accusing the company of gross negligence and another citing violations of California’s Unfair Competition Law and Consumer Legal Remedies Act.