Seems like Verizon isn’t the only one was left in the dark about Yahoo’s data breaches.
The heads of two prominent Senate Committees gave embattled Yahoo CEO Marissa Mayer a tongue lashing for failing to provide even “basic” information around its two recently disclosed data hacks and grilled Mayer in an attempt to extract relevant details about the incidents.
Senator John Thune, Chairman of the Committee on Commerce, Science, and Transportation and Senator Jerry Moran, head of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, issued a letter to Mayer on Friday castigating her for Yahoo’s inability to “provide answers to many basic questions” about the breaches and for Yahoo’s abrupt cancellation of a planned briefing on the incidents. Yahoo’s lack of responsiveness and cooperation, they said, was cause for concern.
“Despite several inquiries by Committee staff seeking information about the Security of Yahoo user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches,” the letter reads. “Moreover, Yahoo’s recent, last-minute cancellation of a planned congressional staff briefing, originally scheduled for January 31, 2017, has prompted concerns about the company’s willingness to deal with Congress with complete candor about these recent events.”
The letter concludes with a series of five questions seeking information on the depth of the attacks, information revealed in them, and steps Yahoo has taken in response to the revelations. The Senators gave Yahoo approximately two weeks to respond.
The Senators’ note comes in the wake of back-to-back disclosures from Yahoo late last year revealing two massive data breaches nearly two years after they were believed to have happened.
In September, Yahoo announced the first discovered hack of around 500 million customer accounts. That incident was believed to have occurred in 2014, and exposed information including users’ names, email addresses, telephone numbers, birth dates, scrambled passwords, and the security questions (and answers) used to verify an account holder’s identity.
The company followed up with an announcement in December that a second, larger breach of more than one billion accounts had occurred in August 2013. Yahoo said that breach, which was discovered during the investigation into the first, exposed the “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” The company said the stolen information, though, did not include passwords, payment card data, or bank account information.
Verizon, which last July agreed to acquire Yahoo for $4.83 billion, has been tight-lipped on its plans in the wake of the revelations. However, carrier executives have previously indicated they had no idea about the hacks going into the deal.
Last month, the Wall Street Journal reported the Securities and Exchange Commission has opened an investigation into the timing of Yahoo’s hack disclosures to see whether the incidents should have been announced sooner. More on that here.
Filed Under: Industry regulations