SEC set to grill Yahoo for failure to report 1.5bn user data breaches - report
An investigation has been opened by the Securities and Exchange Commission (SEC) into whether the internet company complied with civil securities law requiring companies to disclose cybersecurity risks as soon as they are deemed to have an effect on investors, reports The Wall Street Journal.
The SEC put in a request for documents relating to the company’s handling of the data breaches last December.
In September 2016, Yahoo announced a huge data breach of 500 million accounts which they claimed was carried out by a “state-sponsored actor” back in 2014.
At the time, the company claimed they only became aware of the data breach following a “recent investigation,” however an SEC filing in November revealed the company were looking into an unspecified number of employees who knew about the massive data breach in 2014.
In December, the company announced it had been subject to an earlier data breach, this time of more than one billion user accounts, which they believe was carried out by a separate hacker in August 2013.
Both times Yahoo said the hacker acquired the usernames, dates of birth, passwords, backup email address, countries of origin and ZIP codes of users, but no financial information.
The investigation will likely center around the 2014 hack, “according to people familiar with the matter,” reports the WSJ, and why it took two years for Yahoo to disclose the breach.
Yahoo has suffered up to $1million in losses to date and is facing a total of 23 class-action lawsuits both in the US and abroad. In addition, the company’s CEO Marissa Mayer and five other longtime directors will be stepping down from the board.
Yahoo is set to rename itself Altaba as soon as its $4.83 billion acquisition deal with Verizon Communications is complete.