US senators demand Yahoo! (finally) answers some questions about security

Profile picture for user slauchlan By Stuart Lauchlan February 13, 2017
Yahoo! pulled out of a Congressional meeting last month and Senators are pissed. Time for Marissa Mayer and team to review their disclosure thinking on the subject?

Time to talk

An unwelcome aspect of Verizon’s proposed takeover of Yahoo! has been the spotlight thrown on the latter’s ‘drip feed’ of information about the massive security breaches that came to light last year. That’s led to speculation that the planned deal might either fall by the wayside or that the bidding price will be reduced.

That speculation won’t be diminished by the publication of a stroppy letter from Republicans John Thune (chair of the US Senate's Committee on Commerce, Science and Transportation) and Jerry Moran (chair of its sub-committee for Consumer Protection, Product Safety, Insurance and Data Security) to Yahoo! CEO Marissa Mayer complaining that the company has not been co-operating as much as it could with a probe into the data breaches.

The final straw appears to have been Yahoo!’s decision to pull out of a scheduled meeting on 31 January, which has led to senators demanding responses to questions by 23rd February. The letter says:

Yahoo!’s recent last-minute cancellation of a planned congressional briefing…has prompted concerns about the company’s willingness to deal with Congress with complete candor about these recent events…We have attempted to learn more about these incidents for some time.

According to the senators:

Despite several inquiries by committee staff seeking information about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches. Yahoo! has not attempted to supplement its answers to the Committee as new information has become available, despite committing to do so.

The upshot is that Mayer and her team need to deliver answers sharpish to the following questions:

  • With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please describe Yahoo!’s efforts to identify and provide notice to these users.
  • With respect to the aforementioned incidents, what type of data does Yahoo! believe have been compromised? Does the data include sensitive personal information?
  • What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?
  • What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents?
  • In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo!’s initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers.

The US Securities and Exchange Commission (SEC) has already issued a filing indicating it plans to investigate whether Yahoo! could and should have disclosed its two enormous data breaches sooner.

My take

This whole situation is being really badly managed by Yahoo! from a external comms perspective. Any journalist or analyst - never mind Yahoo! Customers - will sympathise with this cry for disclosure from the Senators.