The two-year lag between Yahoo's data breach and the company's disclosure of the hack is "unacceptable," six Democratic lawmakers say in a letter to CEO Marissa Mayer.
"Millions of
Americans' data may have been compromised for two years," Sens. Patrick Leahy (Vermont), Ed Markey (Massachusetts), Elizabeth Warren (Massachusetts), Richard Blumenthal (Connecticut), Ron Wyden
(Oregon) and Al Franken (Minnesota) write. "This is unacceptable... Consumers put their trust in companies when
they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information."
The letter was prompted by Thursday's revelation that hackers
may have obtained email addresses, telephone numbers, security questions, birth dates and encrypted passwords associated with as many as 500 million Yahoo accounts. Bob Lord, Yahoo's chief information
security officer, said the data breach occurred in late 2014. He added that the company believes a "state-sponsored actor" is responsible for the data theft.
News of the data breach could
affect Yahoo's plans to sell itself to Verizon for $4.8 billion; some observers now predict Verizon will attempt to
negotiate a lower price.
The lawmakers who wrote to Mayer today asked her for a chronological account of the security breach, including when the company learned it was hacked, when it notified
law enforcement, and when it told consumers.
The senators also ask Mayer how the company plans to protect the half a billion affected account holders, and what steps it's taking to prevent
future attacks.
Meanwhile, another Democratic lawmaker, Sen. Mark Warner of Virginia, has asked the SEC to investigate whether the company should have told investors about the data breach
earlier than last week.
"Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year. Despite the historic scale of the breach, however, the
company failed to file a Form 8-K disclosing the breach to the public," Warner wrote in a letter to SEC Chair Mary Jo White.
He adds that public companies must disclose "material" events
within four business days. "A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event," Warner writes. "The public ought to know what
senior executives at Yahoo knew of the breach, and when they knew it."