Senators Question Yahoo's Candor on Data Breach


Two influential U.S. senators rebuked Yahoo Inc. Chief Executive Marissa Mayer on Friday for her company's failure to answer questions about its massive data breaches and for abruptly canceling a recent meeting with congressional staffers.

In a letter addressed to Ms. Mayer, Sen. John Thune (R., S.D.), chairman of the Senate Commerce Committee, and Sen. Jerry Moran (R., Kan.) said Yahoo's "last-minute" cancellation of the Jan. 31 meeting "has prompted concerns about the company's willingness to deal with Congress with complete candor about these recent events." Mr. Moran is chairman of the Subcommittee on Consumer Protection, Public Safety, Insurance, and Data Security.

"Despite several inquiries by Committee staff seeking information of about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions," the senators wrote.

A Yahoo spokeswoman said late Friday in an email that the company was reviewing the letter and would "respond as appropriate."

Yahoo's two data breaches are believed to be the largest ever reported. In 2013, hackers gained access to private information stored in more than 1 billion Yahoo accounts, an incident the company publicly disclosed this past December. A separate incident in 2014, which Yahoo disclosed last September, incident affected 500 million accounts.

Yahoo has said that it became aware of the 2014 attack later that year, but it hasn't explained why it took two years to disclose the incident to the public.

The company said it learned of the 2013 incident late last year.

The Wall Street Journal reported in January that the U.S. Securities and Exchange Commission had opened an investigation into whether Yahoo should have reported the two breaches sooner to investors. Yahoo at the time didn't comment.

In a November securities filing, it said it was "cooperating with federal, state and foreign" agencies seeking information on the 2014 breach, including the SEC.

The breaches also have cast a cloud over Verizon Inc.'s $4.8 billion deal to acquire Yahoo's core business, a deal announced in July before the breaches were disclosed. Yahoo said last month that the deal's closure, which had been expected in the first three months of 2017, would be pushed into the second quarter.

The senators' letter said Yahoo in September discussed the 2014 incident with Commerce Committee staffers and the company said it would provide more details later as new information became available. The letter said when Yahoo contacted the committee in December to report the 2013 breach, the company agreed to provide a follow-up briefing for staff, but then on Jan. 28 canceled the scheduled meeting.

The letter lists five questions for Yahoo and gives the company a deadline of Feb. 23 to respond.