Sen. Mark Warner (D-Va.) is calling for the Securities and Exchange Commission (SEC) to investigate Yahoo, saying the company may have failed to meet the legal requirements for notifying consumers of a data breach.
Warner wrote in a letter to SEC Chairwoman Mary Jo White that federal law requires major data breaches to be disclosed to shareholders of public companies within four business days. Warner said Yahoo’s press release last week revealing the hack suggested the company was aware of it as early as July.
{mosads}“Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner wrote. “I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems.”
The SEC declined to comment.
Last Thursday, Yahoo confirmed that it had been hacked in the largest data ever. Five-hundred million accounts were compromised that included users’ “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
In August, Yahoo said that it was aware of another potential breach, in which a hacker claimed that she stole 200 million accounts taken from Yahoo in 2012. It is unclear if the breaches are related.
Warner’s letter is an escalation of his earlier criticism of Yahoo regarding the data breach. Previously, Warner had expressed disappointment with Yahoo, but did not call for action against the company.
He joins Sen. Richard Blumenthal (D-Conn.) in calling for an investigation of Yahoo. Blumenthal suggested that law enforcement review Yahoo to see if it “concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”