In September, news broke that Yahoo took years to fully investigate and inform its customers about a massive data breach that occurred back in 2014. Then, just a few months later, the company revealed that an additional one billion accounts were compromised in 2013. Now, some Republican senators are demanding to know why Yahoo is treating them as poorly as it did its own customers.
On Friday, Sen. John Thune (R-S.D.) and Sen. Jerry Moran (R-Kan.) fired out a scathing letter to Yahoo’s president and CEO Marissa Mayer demanding answers about the hacks. It states that the company skipped out on a planned congressional briefing late last month, “abruptly canceling” it at the last minute. The senators write that being stood up has “prompted concerns about the company’s willingness to deal with Congress with complete candor.”
The lawmakers have now given Yahoo until February 23rd to answer their “basic” questions. With the joint powers of the Senate Commerce Committee and the Consumer Protection and Data Security Subcommittee, answers will be had.
When Yahoo filed an SEC report in November, it admitted that some employees were aware of the 2014 attack at the time but the investigation was dropped. After the investigation into that hack was reopened, the company discovered the other, far larger, 2013 attack. Promises were then made to “continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.” So, how’s that going? Nobody seems to fucking know.
Here are the fundamental questions that the senators sent along:
1. With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please describe Yahoo!’s efforts to identify and provide notice to these users.
2. With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised? Does the data include sensitive personal information?
3. What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?
4. What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents?
5. In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo! 2013 initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers.
These are good questions and we should encourage congress to thoroughly investigate all major state-sponsored hacks. The American people deserve to know.
Gizmodo has reached out to Yahoo for comment about the cancellation of the briefings and to ask if it will comply with the senators demands. We’ll update this post when we receive a reply.
[via Ars Technica]