One lawmaker wants to know when Yahoo executives learned about a security breach of 500 million user accounts and whether the company complied with disclosure laws.
“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems,” wrote Sen. Mark Warner, D-Virginia, in a letter to Securities and Exchange Commission Chair Mary Jo White.
Warner suggests Yahoo, which is in the middle of a $4.8 billion deal to sell its core business to Verizon Communications, did not comply with federal securities laws that require companies to notify shareholders of “material events” using Form 8-K within four days.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Companies file Form 8-K for many events such as bankruptcy, modifying shareholders’ rights or when directors and senior officers change.
“A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event,” said the letter.
Yahoo announced Sept. 22 that an unnamed “state-sponsored actor” stole user data including names, email addresses, telephone numbers, birth dates, hashed passwords, and some security questions and answers from its networks in 2014. Warner’s letter states Verizon wasn’t notified until Sept. 20, even though the Yahoo sale has been underway since “at least July 25” and a Sept. 9 statement noted that Yahoo was not aware of any security breaches of its IT systems.