U.S. Sen. Mark Warner said Monday the Securities and Exchange Commission should investigate the Yahoo breach that affected some 500 million user accounts to determine if senior executives informed investors and the public in a timely matter.
In a letter to SEC Chair Mary Jo White, Warner, D-Va., asked the agency to determine whether Yahoo was honest about the security of its systems and whether current SEC regulations on reporting such breaches are adequate.
Yahoo last week admitted “state-sponsored” hackers had violated 500 million user accounts in 2014. The internet firm said no passwords, payment card data or bank account information was affected.
Warner, who co-founded Nextel and invests in startups, said he wants to know when Yahoo became aware of the breach and whether what Yahoo has said about the incident is true. Warner cited press reports indicating Yahoo CEO Marissa Meyer may have known about the breach as early as July before the company’s sale to Verizon was finalized.
Federal regulations required Yahoo to disclose the breach within four days but it did not notify Verizon until Tuesday and the public until Thursday, TechCrunch reported.
“The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it,” Warner wrote. “I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems.”
TechCrunch it inquired about a possible breach during the summer but did not receive a definitive comment.
“Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a statement.
Yahoo has yet to provide a clear, detailed timeline of when it learned about the breach, Reuters reported. It has hired Stroz Friedberg, a cybersecurity firm, to investigate the incident.
The FBI has initiated its own investigation.
Computerworld noted Warner is preparing legislation to create a national data breach standard that would require timely consumer notification.