- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
Yahoo’s announcement last week that data from 500 million user accounts had been stolen in 2014 by what it called a “state-sponsored actor” certainly alarmed Yahoo’s users and its new bosses
at Verizon. But now it seems that eyebrows were raised in the Senate as well. Senator Mark Warner, a co-founder of Nextel and a former startup investor, has called on the Securities and
Exchange Commission to investigate whether Yahoo properly notified the public and its investors of the massive security breach. The timing doesn’t look good for Yahoo. As Warner notes in his
letter to SEC chairwoman Mary Jo White, press reports indicate that Yahoo CEO Marissa Mayer knew about the breach as early as July, when the company was still finalizing its sale to
Verizon. (Disclosure: TechCrunch is owned by AOL, which is owned by Verizon.) By law, Yahoo should have disclosed the breach to the public and its investors within four days, but the company
didn’t notify Verizon until September 20 and told its users two days later. “The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it,” Warner
wrote in his letter. “I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company
made complete and accurate representations about the security of its IT systems.” In August, TechCrunch heard rumors of a significant Yahoo breach and asked the company about it. A
spokesperson for Yahoo told us at the time, “We are aware of a claim. We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our
security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by
using Yahoo Account Key, and use different passwords for different platforms.” But on September 9, Yahoo said in a proxy statement, “To the knowledge of Seller, there have not been any
incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.”
That statement simply isn’t accurate, since Yahoo told us a month earlier that they were aware of just such a third party claim. “Yahoo’s September filing asserting lack of knowledge of
security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a statement. Although it’s fairly common for large
breaches to go undetected for years (years-old hacks of Tumblr and MySpace only surfaced recently), Yahoo’s claims about security this summer don’t seem to line up. It’s just one of Yahoo’s
security struggles — the company lost several C-level security executives prior to its sale. Warner is asking the SEC to investigate Yahoo, but he’s also asking the SEC to look into why more
major companies aren’t disclosing cybersecurity problems. “Since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data
breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,” he wrote. _Additional reporting by Ingrid Lunden._
