The timing behind Yahoo’s decision to disclose details Thursday about a 2014 data breach is being questioned by lawmakers concerned with its effect on a half-billion account holders as well as Verizon Communication’s plans to purchase the company for $4.8 billion.
Sens. Richard Blumenthal of Connecticut and Mark Warner of Virginia, both Democrats, voiced concerns Thursday in the aftermath of tech titan’s announcement about the largest digital data breach ever recorded.
News reports of a potential security incident first appeared in an Aug. 1 article published by Motherboard, and a source familiar with the matter told The Washington Post that Yahoo was aware of the breach as early as July — the same month it was revealed that Verizon will acquire the company in 2017.
“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” said Mr. Blumenthal, who advocates on behalf of consumers as a member of the Senate Committee on Commerce, Science and Transportation.
“Asking users to reset their passwords when it first learned of the breach would have been a simple and effective step at mitigating any risk to accounts and protecting consumer data,” he added. “As law enforcement and regulators examine this incident, they should investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”
Verizon said Thursday it was only made aware of the incident earlier this week — two months after it announced plans to purchase Yahoo in the first quarter of 2017.
SEE ALSO: Yahoo confirms massive data breach; at least 500 million accounts affected
Hackers — likely state-sponsored actors — pilfered the personal information of more than 500 million account holders in late 2014, Yahoo said. The FBI is investigating the breach “and will determine how this occurred and who is responsible,” the bureau said in a statement.
“While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today,” Mr. Warner, a member of the Subcommittee on Financial Institutions and Consumer Protection, said earlier Thursday shortly after Yahoo confirmed it was hacked.
In the wake of significant but smaller data breaches befallen by private companies including Target and Home Depot in recent years, both Democrats said their colleagues should work to codify rules that would require hacked corporations to come clean with customers in the event of security incidents like these.
“Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue, and I urge my colleagues to work together to pass this essential legislation,” Mr. Warner said.
“This breach demonstrates the urgent need for Congress to enact data breach and security legislation — only stiffer enforcement and stringent penalties will make sure companies are properly and promptly notifying consumers when their data has been compromised,” Mr. Blumenthal said.
Indeed, the senators’ concerns are being raised off Capitol Hill by security professionals confused as well by the timing of Yahoo’s announcement.
“If Yahoo only recently discovered the breach, the issue is why did it take them so long to notice? Or if Yahoo detected it within hours, days or even weeks of the original breach, why did it take so long for them to disclose? This is a key detail,” Jeremiah Grossman, WhiteHat Security founder and a former information security officer for Yahoo, told The Washington Times on Thursday.
“Why they held onto this information for two years is inexplicable,” said John Dickson, a former member of the U.S. Air Force Computer Emergency Response Team (CERT) and principal at Denim Group, a Texas-based security firm. “I suspect management withheld release of this information given the non-stop stream of bad news that has emanated from Yahoo since 2014. The most prudent thing to have done was to release this news far earlier so users had a reasonable time to change passwords.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.