The two-year lag between Yahoo's data breach and the company's disclosure of the hack is "unacceptable," six Democratic lawmakers say in a letter to CEO Marissa Mayer.
"Millions of Americans' data may have been compromised for two years," Sens. Patrick Leahy (Vermont), Ed Markey (Massachusetts), Elizabeth Warren (Massachusetts), Richard Blumenthal (Connecticut), Ron Wyden (Oregon) and Al Franken (Minnesota) write. "This is unacceptable... Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information."
The letter was prompted by Thursday's revelation that hackers may have obtained email addresses, telephone numbers, security questions, birth dates and encrypted passwords associated with as many as 500 million Yahoo accounts. Bob Lord, Yahoo's chief information security officer, said the data breach occurred in late 2014. He added that the company believes a "state-sponsored actor" is responsible for the data theft.
News of the data breach could affect Yahoo's plans to sell itself to Verizon for $4.8 billion; some observers now predict Verizon will attempt to negotiate a lower price.
The lawmakers who wrote to Mayer today asked her for a chronological account of the security breach, including when the company learned it was hacked, when it notified law enforcement, and when it told consumers.
The senators also ask Mayer how the company plans to protect the half a billion affected account holders, and what steps it's taking to prevent future attacks.
Meanwhile, another Democratic lawmaker, Sen. Mark Warner of Virginia, has asked the SEC to investigate whether the company should have told investors about the data breach earlier than last week.
"Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year. Despite the historic scale of the breach, however, the company failed to file a Form 8-K disclosing the breach to the public," Warner wrote in a letter to SEC Chair Mary Jo White.
He adds that public companies must disclose "material" events within four business days. "A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event," Warner writes. "The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."