Two Republican senators are losing patience with Marissa Mayer.
Today, Sen. John Thune (R-S.D.) and Sen. Jerry Moran (R-Kan.) set a February 23 deadline to address unanswered questions about two unprecedented data breaches. In a letter to Mayer, the two claim the Yahoo CEO has been “unable to provide answers to many basic questions about the reported breaches.”
The breaches in question are those from 2013 and 2014. The 2014 hack compromised some 500 million accounts, making it the largest data breach in history. It didn’t hold the record for long.
After signing on the dotted line in July 2016, Verizon learned a month later of the 2013 hack.
At the time, Yahoo revealed it affected 500 million accounts. Later that year, we learned it was actually a billion. Worse, an SEC filing admits some employees knew of the breach in 2014, shortly after it happened.
The public — including those with compromised accounts — learned of it in 2016, after the Verizon deal. Verizon, for its part, took issue with the timing. Its general counsel told reporters in October that Verizon was leaning toward declaring the data breach a “material event” — a move that generally leads to court action to reduce the purchase price, or back out of the deal.
Now, lawmakers want answers. The letter seeks to elicit a response to these specific questions:
1.) With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please describe Yahoo!’s efforts to identify and provide notice to these users.
2.) With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised? Does the data include sensitive personal information?
3.) What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?
4.) What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents?
5.) In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo! 2013 initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers.
Senators have given Mayer until February 23 to comply.
Yahoo did not immediately respond to TNW’s request for comment.