The fallout from a data breach affecting 500 million Yahoo Inc. user accounts is coming hard and fast, as senior Democrats ramp up pressure over the company’s delay in disclosing the incident.
In a letter Tuesday, six Senate Democrats told Yahoo Chief Executive Marissa Mayer that it is “unacceptable” that her company announced just last week that hackers compromised the personal information of more than half a billion accounts in 2014.
That length of delay “means millions of Americans’ data may have been compromised for two years,” Sens. Richard Blumenthal of Connecticut, Al Franken of Minnesota, Patrick Leahy of Vermont, Ed Markey and Elizabeth Warren of Massachusetts and Ron Wyden of Oregon wrote.
The senators called for Yahoo to provide a briefing to their staffs on the company’s investigation into the data breach that appears to be the largest publicly disclosed hack in history, as well as the firm’s interactions with law enforcement and its plans to assist affected users.
Yahoo said last week that it is “working closely with law enforcement” in its investigation, but didn’t elaborate further. The company also said it suspects state-sponsored hackers stole personal data that could have included names, email addresses, telephone numbers, birthdays, passwords and in some cases security questions and answers.
“This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles,” the senators said in the letter.
The breach affected not only users of Yahoo’s core site but also Yahoo Mail, Flickr, Yahoo Finance and Yahoo’s fantasy sports platform.
The senators requested Yahoo provide answers to questions both for Congress and the public. They also asked Mayer to inform them how and when the company first learned user information had been compromised, and to provide a timeline.
“Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information,” the senators wrote, adding that they want information on whether anyone in the U.S. government had warned Yahoo of a hacking attempt.
In its release last week, Yahoo didn’t provide information on whether it would protect consumers affected or offer free credit monitoring or identity theft prevention services. Many businesses hit by data breaches have provided those services to affected customers.
When massive hacks hit health insurer Anthem Inc. and credit reporting firm Experian PLC, both companies offered free identity theft prevention services.
Yahoo, headquartered in Sunnyvale, Calif., is subject to a 2014 state law that requires an entity offering identity theft prevention services after a breach to do so at no cost for at least a year. That law does not require a company to offer those services, however.
Yahoo Chief Information Security Officer Bob Lord wrote a series of suggestions in a blog post detailing steps users should take to protect their information, such as changing their passwords. Lord said the company is notifying “potentially affected users” and have “invalidated unencrypted security questions and answers so they cannot be used to access an account.”
A Yahoo security page details extra steps users can take to get credit reports, file a police report to subsequently obtain a free security freeze on credit files and file inquiries to the Federal Trade Commission.
The letter from Democratic senators is not the first step taken by lawmakers regarding Yahoo’s handling of the data breach and subsequent disclosure.
Democratic Sen. Mark Warner (Va.), a founding member of the Senate Cybersecurity Caucus, on Monday called for a Securities and Exchange Commission investigation into whether Yahoo fulfilled its legal obligations to inform its investors and the public about the hack.
Warner said a September filing from the firm “asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public.”
Last week, Warner said the breach showed Congress needs to act “to create a uniform data breach notification standard so that consumers are notified in a much more timely manner,” adding that such a measure is “long overdue.”
In January 2015, Sen. Bill Nelson of Florida, the top Democrat on the Senate Commerce Committee, introduced S. 177, a measure that would require entities hit by data breaches to disclose those hacks to the FTC and to customers believed to be affected within 30 days of the discovery of the breach.
The measure was referred to the Commerce Committee but has not received a hearing or vote.
