2 October 2016

US Senators Want Yahoo! To Answer Questions Regarding Data Breach

SEPTEMBER 28, 2016

Sen. Ron Wyden, D-Ore., joined Sen. Patrick Leahy, D-Vt., and other sponsors of a comprehensive data security and breach notification bill that requires companies to take reasonable steps to secure their customers’ sensitive data and notify customers in the event of a hack, and called on the leader of Yahoo! to disclose how a massive hack at their company went unnoticed for two years.

In a letter to Yahoo! CEO Marissa Mayer, Wyden, Leahy and leading Democratic Senators asked the company to provide a timeline of the hack, which compromised at least 500 million accounts, and when law enforcement and users were notified. The lawmakers are also seeking information about how widespread the hack is, and what Yahoo! is doing to prevent such a hack in the future.

“The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers. This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles,” the letter states.


The letter continues: “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”

Wyden co-sponsored the Consumer Privacy Protection Act authored by Leahy last year to establish a comprehensive approach to data security by requiring companies to take preventative steps to defend against cyber attacks and prevent data breaches, and to quickly notify customers in the event a data breach occurs.

The measure addresses the kinds of security breaches that have affected retail stores in recent years, as well as breaches of personal email, online accounts, and cloud computing that have sent Americans’ personal information, photos and even location out into public view.

Cosponsors of the consumer privacy legislation also joined Tuesday in the letter to Yahoo!. Democratic Senators signing the letter include: Patrick Leahy (Vt.), Al Franken (Minn.), Elizabeth Warren (Mass.), Richard Blumenthal (Conn.), Ron Wyden (Ore.), and Edward J. Markey (Mass.).

A copy of the September 27 letter to CEO Marissa Mayer is below.

# # # # #

September 27, 2016

Ms. Marissa Mayer

Chief Executive Officer

Yahoo Inc.

701 First Avenue

Sunnyvale, CA 94089

Dear Ms. Mayer:

We write following your company’s troubling announcement that account information for more than 500 million Yahoo users was stolen by hackers, compromising users’ personal information across the Yahoo platform and on its sister sites, including Yahoo Mail, Flickr, Yahoo Finance, and Yahoo Fantasy Sports. The stolen data included usernames, passwords, email addresses, telephone numbers, dates of birth, and security questions and answers. This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.

We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.

In light of these troubling revelations, please answer the following questions to help Congress and the public better understand what went wrong and how Yahoo intends to safeguard data and protect its users, both now and in the future. We also request that Yahoo provide a briefing to our staff on the company’s investigation into the breach, its interaction with appropriate law enforcement and national security authorities, and how it intends to protect affected users.

When and how did Yahoo first learn that its users’ information may have been compromised? Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers.

Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?

What Yahoo accounts, services, or sister sites have been affected?

How many total users are affected? How were these users notified?

What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?

What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?

What is Yahoo doing to prevent another breach in the future? Has Yahoo changed its security protocols, and in what manner?

Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Thank you for your prompt attention to this critical matter.

No comments: