| pixabay.com, the commons

Senate Democrats turn up heat on Yahoo data breach

In a letter sent to Securities and Exchange Commission Chair Mary Jo White on Monday, Sen. Mark Warner (D-Va.) requested an SEC investigation into whether executives at Yahoo intentionally kept the public in the dark about a massive data breach in 2014.

Last week, Yahoo publicly disclosed that, in 2014, hackers stole passwords and other personal information from as many as many as 500 million Yahoo users worldwide.

Yahoo is in the process of selling its core operations, which include websites such as Flickr, Tumblr and fantasy football site Rivals.com, to Verizon. The $4.8-billion deal was signed in late July and is expected to be finalized in early 2017.

Warner’s letter, however, could complicate that deal.

According to Warner, Yahoo did not inform Verizon of the breach until Sept. 20.

Warner also said that in its Sept. 9 proxy statement filed with the SEC as part of the Verizon deal, Yahoo asserted that there “have not been any incidents of, or third-party claims challenging ... security breach, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.”

In his letter, Warner said “companies are required to disclose material events that shareholders should know about via Form 8-K within four business days."

"A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event,” Warner said. 

“The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.”

Verizon issued a statement on Sept. 23 in which it said it will evaluate its options “as the investigation continues.”

In an interview on CNBC Monday, Tim Armstrong, CEO of Verizon-owned AOL and the person likely to oversee the integration of Yahoo's assets into Verizon's platforms, said Verizon "found out about the data issue last week."

"We're working with Yahoo right now to really get into the data situation and figure out what it is," Armstrong said. "We're in the very early stage on that right now, so we're not going to have a lot of answers for you.

"One of the question that has to be answered is when did [Yahoo executives] know [about the breach], and when was the alert set up to let us know overall," Armstrong said. 

"We do want to separate the data breach from where we want to work with them."

The heat on Yahoo increased on Tuesday, when six Senate Democrats, including Patrick Leahy (D-Vt.) and Elizabeth Warren (D-Mass.), sent a letter to Yahoo CEO Marissa Mayer demanding answers to a series of questions about the company’s response to the data breach.

The letter’s signers want Yahoo to brief their staffs “on the company’s investigation into the breach, its integration with appropriate law enforcement and national security authorities, and how it intends to protect affected users.

In a statement issued Sept. 22, Yahoo said its systems had been hacked by what it believed was a “state-sponsored actor,” and that user information, including names, email addresses, telephone numbers, dates of birth, encrypted passwords and security questions, had been stolen.

Yahoo said it was “notifying affected users” on how to secure their accounts, but unlike other firms that have suffered security breaches, offered no credit monitoring protection to those users.

In a separate statement issued the same day, Yahoo chief information security officer Bob Lord said the company was “working closely with law enforcement on this matter.”