Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":2065020,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,entrepreneur,security,","session":"D"}']

U.S. senator calls for SEC probe of Yahoo disclosures on hacking timeline

Image Credit: Ken Yeung/VentureBeat

(Reuters) – Democratic Senator Mark Warner on Monday asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about a hacking attack affecting 500 million user accounts.

“Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about,” Warner said in a letter to SEC Chairwoman Mary Jo White.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":2065020,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,entrepreneur,security,","session":"D"}']

Yahoo has faced pointed questions about exactly when it knew about the 2014 cyber attack announced last week that exposed the email credentials of half a billion accounts, a critical issue for the company as it seeks to prevent the breach from affecting a pending takeover of its core business by Verizon.

Warner also asked the SEC to probe whether Yahoo has “made complete and accurate representations” about the security of its information technology systems, and for the agency to evaluate its current thresholds for how and when companies need to report a material data breach.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

Although the SEC has longstanding guidance on when publicly traded companies should report hacking incidents, companies that have experienced known breaches often omit those details in regulatory filings, according to a 2012 Reuters investigation.

In a Sept. 9 regulatory filing with the SEC, Yahoo stated it did not have knowledge of “any incidents of, or third party claims alleging … unauthorized access” of personal data of its customers that could have a material adverse effect on Verizon’s acquisition.

Establishing that Yahoo is liable for damages under SEC rules is a “pretty high bar” in data breach cases, said Robert Cattanach, a lawyer at Dorsey & Whitney who specializes in cyber security.

Yahoo is additionally protected from liability given the relative lack of sensitivity of the data compromised, Cattanach said, though he said both the SEC and Federal Trade Commission were likely to open investigations.

At least one state, Massachusetts, is also seeking more information from Yahoo about the breach, a spokesperson for the state’s attorney general told Reuters on Monday.

Yahoo has so far not provided a clear, detailed timeline about when it was made aware of the breach announced Thursday.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":2065020,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,entrepreneur,security,","session":"D"}']

Cyber security services firm Stroz Friedberg has been hired by Yahoo to help investigate the breach, firm spokeswoman Carolyn Vadino said.

The FBI is also investigating the hack, which Yahoo has blamed on a “state-sponsored actor” although the company has not provided technical information to support that claim.

(Reporting by Dustin Volz in Washington; Additional reporting by Jim Finkle in Boston; Editing by Cynthia Osterman and Mary Milliken)

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More