Yahoo is facing increased scrutiny from two U.S. senators who say the company has not been sufficiently forthcoming about its two massive data breaches that exposed more than 1 billion consumers' records to hackers.
In a letter to Yahoo CEO Marissa Mayer, the senators say they are concerned about Yahoo's "last-minute" cancellation of a Jan. 31 meeting with Senate staffers and say the unexplained cancellation adds to "concerns about the company’s willingness to deal with Congress with complete candor about these recent events.”
The senators -- John Thune (R-S.D.), chairman of the Senate Commerce Committee, and Jerry Moran (R., Kan.), chairman of the Subcommittee on Consumer Protection, Public Safety, Insurance, and Data Security -- said Yahoo executives "have thus far been unable to provide answers to many basic questions" about the breaches.
The company said it was studying the letter and would "respond as appropriate," the Wall Street Journal reported.
500 million + 1 billion
In September 2016, Yahoo said that about 500 million customer accounts had been hacked in 2014, leading analysts to call it the largest data breach ever. But then, in December, the company said a second, earlier data breach in 2013 had affected no fewer than 1 billion accounts.
A litany of information was exposed in the breaches, including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Payment card data, passwords in clear text, and bank account information were not compromised, the company said.
The senators cited confusing, sometimes conflicting, information about when and how the breaches occurred and when the company learned of them. And, saying its primary goal is protecting consumer privacy, directed five questions to Mayer:
Besides the Senate inquiry, the Wall Street Journal has reported that the U.S. Securities and Exchange Commission is investigating whether the company should have reported the breaches to investors earlier.
Besides the possibility of regulatory action, the breaches are endangering Yahoo's deal to sell itself to Verizon for $4.8 billion. In October, the New York Post said Verizon was pushing for a $1 billion discount because it was not informed of the full extent of the breaches when the deal was made.
“In the last day we’ve heard that [AOL boss] Tim [Armstrong] is getting cold feet. He’s pretty upset about the lack of disclosure and he’s saying, ‘Can we get out of this or can we reduce the price?’” said a source close to Verizon, the Post reported.