Sen. Mark Warner (D) is asking the United States Securities and Exchange Commission to conduct an investigation on the recently reported Yahoo data breach.
The Virginia senator wants a probe whether Yahoo and its senior executives fulfilled their obligations to keep both investors and the public informed regarding the breach.
Moreover, Sen. Warner also asked the SEC to investigate if the company made a complete and accurate representation regarding the security of its IT systems.
"Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about," writes Warner in his letter to the SEC. "Data security increasingly represents an issue of vital importance to management, customers and shareholders, with major corporate liability, business continuity and governance implications. A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event."
According to Yahoo's report, which was posted on Sep. 22, Thursday, the data breach involving 500 million user accounts occurred in 2014. However, it is unclear when the company learned of the breach. The senator cites press reports, which suggest Yahoo CEO Marissa Mayer had knowledge of the breach since July 2016.
Protocol dictates that data breaches must be disclosed to investors and the public within four business days via a Form 8-K. Sen. Warner notes of Yahoo's failure to do so despite the scale of the aforementioned breach.
Sen. Warner adds that Yahoo did not inform Verizon, which is in the process of closing the $4.83 billion deal for the acquisition of Yahoo's core business, until Sep. 20. Both companies have been in talks regarding the acquisition since July this year.
Further confusing things is a statement that Yahoo issued earlier this September.
"To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller's or the Business Subsidiaries' information technology systems," a proxy statement reads.
The senator says that Yahoo's pronouncement creates serious concerns about truthfulness in representations to the public. He notes that the public must know what Yahoo executives knew of the breach and they were informed of it.
Aside from the concerns that the senator raised, Yahoo is yet to answer whether the claims of a hacker known as Peace is valid or not. Note that Peace sold 200 million Yahoo user accounts via the dark web. The hacker claims that the dumps are from 2012.
Moreover, Yahoo is also yet to clarify whether Peace and the "state-sponsored actor" who was responsible for the reported hack of 500 million user accounts were one and the same. Some analysts speculate that they are not the same, which means two instances of hacking took place, if Peace's claims are true.