Va. senator wants SEC probe of massive Yahoo breach

Va. senator wants SEC probe of massive Yahoo breach

U.S. Sen. Mark Warner, D-Va., on Monday urged the U.S. Securities and Exchange Commission to investigate whether Yahoo met its legal obligations to keep the public and investors informed about a massive breach of 500 million Yahoo accounts.

In a letter to the SEC, Warner said Yahoo failed to file a Form 8-K disclosure to the public about the breach, and that the company said in a proxy statement on Sept. 9 that it had not experienced any breaches.

Warner said Yahoo knew about the breach as early as July but didn’t inform Verizon, which is in the process of acquiring Yahoo, until Sept. 20. Verizon said on July 25 it would buy Yahoo's internet business for $4.8 billion.

“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems,” Warner wrote.

He added that fewer than 100 of about 9,000 publicly listed companies have reported a material breach since 2010. “I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,” Warner wrote.

An SEC spokesman declined any comment on Warner’s request. Yahoo didn’t immediately respond.

Separately, Warner is developing bipartisan legislation to create a uniform, nationwide data breach standard that requires timely consumer notification of data breaches inside organizations. Several U.S. states have breach notification policies, including California.

Some analysts on Monday said the U.S. needs more authority to force companies to be more responsible and more forthcoming about breaches. Unless federal authorities get involved, “we will continue to see such egregious breaches, “ said Jack Gold, an analyst at J.Gold Associates. “If Yahoo knew it had been breached and didn’t disclose, it will face mounting criticism and lawsuits, some already started.”

Gold said the concern over Yahoo’s reporting of the breach is “one more reason that I’d argue Verizon should go slow in acquiring Yahoo.”

Roger Entner, an analyst at Recon Analytics, last week defended Yahoo, saying the breach was by an unnamed nation-state, which is an attack that can’t be prevented.

Nonetheless, “Yahoo didn’t disclose fast enough nor did it investigate quickly enough with enough vigor,” Entner said. “The breach happened in 2014 and now we find out about it in 2016. The hackers had two years to exploit whatever they found there. That’s a huge problem. Customers need to be informed more quickly so that the hackers cannot use the data for two years before customers know they need to react.”

Entner also put in a plea for two-factor authentication for access to most websites. “A password and challenge question just isn’t safe anymore. All of that has been thoroughly compromised.”

Patrick Moorhead, an analyst at Moor Insights & Strategy said it's unfortunate that because “industry couldn’t regulate itself, Congress feels it needs to get involved … What Yahoo, Google, Facebook, Twitter and Microsoft should do is get together and agree to a [disclosure] standard and keep the government out of it. We don’t need another bloated government organization and should call on industry to self-regulate.”

Avivah Litan, an analyst at Gartner, urged Congress to pass a federal data breach disclosure law. "It’s not clear to me that Yahoo was legally obligated to disclose this breach under one of the many state disclosure laws -- almost every U.S. State has one -- given the type of relatively low-risk data that was stolen," she said.

IDG Insider


«Apple's big plan for HealthKit would put all your medical data in one spot


Sonos comes to the Apple store, but what does that mean for Beats speakers?»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?