Yahoo's huge data breach is making waves on Capitol Hill.
Continue Reading Below
Sen. Mark Warner on Monday asked the Securities and Exchange Commission to investigate whether Yahoo fulfilled its obligations to properly keep its users and investors abreast of its investigation into a massive data breach that saw 500 million user account details stolen.
"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," the Virginia Democrat, who serves on the Senate Intelligence and Banking Committees and is the co-founder of the Senate Cybersecurity Caucus, said in a statement. "Yahoo's September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."
Yahoo announced last week that at least 500 million user accounts were hacked by what it believes was a government actor. While Yahoo said that its investigation is ongoing, it revealed that the data was taken in 2014. Since then, press reports have surfaced, saying that Yahoo CEO Marissa Mayer knew about the hack in July but did not notify users until last week. Verizon, which acquired Yahoo this summer, also wasn't notified until last week, the Financial Times says.
Federal law dictates that companies must inform users and investors of a breach within four days.
"I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems," Warner wrote to the SEC. "Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature."
Neither Yahoo nor the SEC immediately responded to PCMag's request for comment.