Va. senator wants SEC probe of massive Yahoo breach

Warner wants the agency to determine whether Yahoo informed the public and investors in a timely way

U.S. Sen. Mark Warner, D-Va., on Monday urged the U.S. Securities and Exchange Commission to investigate whether Yahoo met its legal obligations to keep the public and investors informed about a massive breach of 500 million Yahoo accounts.

In a letter to the SEC, Warner said Yahoo failed to file a Form 8-K disclosure to the public about the breach, and that the company said in a proxy statement on Sept. 9 that it had not experienced any breaches.

Warner said Yahoo knew about the breach as early as July but didn’t inform Verizon, which is in the process of acquiring Yahoo, until Sept. 20. Verizon said on July 25 it would buy Yahoo's internet business for $4.8 billion.

“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems,” Warner wrote.

He added that fewer than 100 of about 9,000 publicly listed companies have reported a material breach since 2010. “I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,” Warner wrote.

An SEC spokesman declined any comment on Warner’s request. Yahoo didn’t immediately respond.

Separately, Warner is developing bipartisan legislation to create a uniform, nationwide data breach standard that requires timely consumer notification of data breaches inside organizations. Several U.S. states have breach notification policies, including California.

Some analysts on Monday said the U.S. needs more authority to force companies to be more responsible and more forthcoming about breaches. Unless federal authorities get involved, “we will continue to see such egregious breaches, “ said Jack Gold, an analyst at J.Gold Associates. “If Yahoo knew it had been breached and didn’t disclose, it will face mounting criticism and lawsuits, some already started.”

Gold said the concern over Yahoo’s reporting of the breach is “one more reason that I’d argue Verizon should go slow in acquiring Yahoo.”

Roger Entner, an analyst at Recon Analytics, last week defended Yahoo, saying the breach was by an unnamed nation-state, which is an attack that can’t be prevented.

Nonetheless, “Yahoo didn’t disclose fast enough nor did it investigate quickly enough with enough vigor,” Entner said. “The breach happened in 2014 and now we find out about it in 2016. The hackers had two years to exploit whatever they found there. That’s a huge problem. Customers need to be informed more quickly so that the hackers cannot use the data for two years before customers know they need to react.”

Entner also put in a plea for two-factor authentication for access to most websites. “A password and challenge question just isn’t safe anymore. All of that has been thoroughly compromised.”

Patrick Moorhead, an analyst at Moor Insights & Strategy said it's unfortunate that because “industry couldn’t regulate itself, Congress feels it needs to get involved … What Yahoo, Google, Facebook, Twitter and Microsoft should do is get together and agree to a [disclosure] standard and keep the government out of it. We don’t need another bloated government organization and should call on industry to self-regulate.”

Join the CSO newsletter!

Error: Please check your email address.

More about CustomersFacebookGoogleMicrosoftSECSecurities and Exchange CommissionTwitterVerizonYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place