Senator Questions Yahoo's Handling of Data Breach Disclosure, Calls for SEC Investigation
Sen. Warner questioned the company's delay in revealing the data breach.
-- Sen. Mark Warner, D-Va., asked the Securities and Exchange Commission today to open an investigation into whether Yahoo “fulfilled its obligations under federal securities laws to keep the public and investors informed,” about a massive security breach revealed last week.
The company revealed that a “state-sponsored actor” stole data associated with some 500 million accounts from its servers in late-2014.
Warner, a former technology executive, is a member of the Senate Intelligence and Banking Committees and co-founder of the bipartisan Senate Cybersecurity Caucus.
Russian hackers are suspected to be behind the attack, sources familiar with the matter recently told ABC News. Yahoo has not commented on that detail.
Verizon announced on July 25 that it would buy the tech company for $4.83 billion. Verizon said about 20 minutes after Yahoo announced the security breach on Sept. 22 that it had only learned about the breach "within the last two days."
Meanwhile, shortly after the breach announcement, a source familiar with the matter told ABC News that Yahoo launched an internal investigation "following a report earlier this summer [July 2016] of a hacker indicating that 280 million user credentials were for sale on the black market."
According to the source, the company "found no evidence to substantiate the hacker’s claims," but when an internal security team broadened the scope of its investigation, “they identified evidence of the theft by a state-sponsored actor occurred in 2014.”
Yahoo noted on Friday that "a recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. Our investigation into this matter is ongoing and the issues are complex."
"Some things, however, are clear: Yahoo has never had reason to believe there is any connection between the security issue disclosed yesterday [Sept. 22] and the claims publicized by a hacker in August 2016. Conflating the two events is inaccurate.”
Late on Friday, The Wall Street Journal, citing an unnamed source, reported that Yahoo "detected hackers in their systems in fall 2014 who they believed were linked to Russia and were seeking data on 30 to 40 specific users of the company’s online services."
The Journal reported that the person being cited did not "know whether that attack led to the theft of information on 500 million user accounts."
The timing of the attack and its disclosure has raised questions about whether Yahoo has violated securities laws, which require publicly-traded companies to disclose information that has the potential to sway markets.
“Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year,” Sen. Warner said in a letter to SEC Chairwoman Mary Jo White. “Despite the historic scale of the breach, however, the company failed to file a Form 8-K disclosing the breach to the public.”
Yahoo filed a Form 8-K hours after it announced the data breach on the afternoon of Sept. 22. Regulations require that a Form 8-K be submitted within four business days of an event that is material to investors.
Notably, a filing submitted to the SEC by Yahoo on Sept. 9, a copy of which was reviewed by ABC News, stated: “To the Knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller’s or the Business Subsidiaries’ possession ... that could reasonably be expected to have a Business Material Adverse Effect.”
At market open on Monday, Yahoo’s stock had lost about 3.75 percent of its value since its opening on Sept. 22 -- the day the hack was announced.
“Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in the letter, dated today. “The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.”
Yahoo did not immediately respond to ABC News' request seeking comment on Warner’s request to the SEC.
Verizon declined to comment to ABC News on the matter.
The SEC declined comment and would not confirm or deny whether there is an investigation.
Yahoo is a content partner of ABC News.
ABC News’ Mike Levine and Pierre Thomas contributed to this report from Washington.
Editor's note: This story has been updated to reflect that a source said that Yahoo launched an internal investigation following hacker claims in July 2016, which ultimately led investigators to discover evidence of the breach revealed last week. A previous version of this story stated that the discovery of the breach was in July 2016. It is not clear when exactly the discovery was made.