Virginia Senator Mark Warner (D) has expressed concern about the true extent of the 2014 Yahoo! security breach, which was officially reported on Sept. 22 of this year.
Sen. Warner wrote a letter to the U.S. Securities and Exchange Commission, asking the department to conduct an investigation on the breach, as he believes that there is more to the story than Yahoo has disclosed.
Yahoo reported that 500 million user accounts were compromised during the 2014 breach, but Sen. Warren questions how long the company knew about the compromise before the report was published.
In his letter to the SEC, Sen. Warner wrote the following:
“Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about.
“Data security increasingly represents an issue of vital importance to management, customers and shareholders, with major corporate liability, business continuity and governance implications. A breach of the magnitude that Yahoo! and its users suffered seems to fit squarely within the definition of a material event.”
According to protocol, any data breach must be disclosed to the company’s investors as well as the public via a form 8-K within four business days.
Despite the scale of the breach, no one outside of the company was notified until Sept. 20.
Two days before the report went public, Yahoo! informed Verizon. The two companies are in the process of a $4.83 billion merger. The deal also includes a $1.1 billion in employee stock compensation.
“I think we have a reasonable basis to believe right now that the impact is material and we’re looking to Yahoo! to demonstrate to us the full impact,” said Verizon’s general counsel Craig Silliman. “If they believe that it’s not then they’ll need to show us that.”
On Tuesday, Oct. 18, Verizon and Yahoo! had their first formal conversation about the status of the merger, after the report gave the former a reasonable excuse for potentially backing out.
Though the breach is not a breaking point for the deal, Verizon may be aiming to renegotiate the price tag. Reports suggest that Verizon is looking to take $1 billion off the purchase price. The deal is also subject to a breakup fee in the amount of $145 million, payable by Yahoo!.
Only 8% of Internet users create unique passwords for their accounts, which is the primary method of deterring future compromises.