Federal officials are investigating Yahoo over how promptly the beleaguered Internet company informed the public about its historic data breaches that together affected more than 1 billion consumers, according to a report by the Wall Street Journal.
The probe will reportedly seek to determine why Yahoo waited weeks to disclose knowledge last year of a hack that occurred in 2014, an incident that compromised 500 million user accounts. An earlier breach, in 2013, left about 1 billion customers at risk, though it was not until last fall that Yahoo discovered evidence of that attack, as well.
The investigation is being handled by the Securities and Exchange Commission, which in 2011 began requiring companies to disclose information about hacking risks or incidents that may affect investors in a “material” way. And it could become a major test case that lays down clearer expectations about when businesses must reveal that information, analysts told the Journal.
The investigation, which began in December, is in its early stages, the Journal reported, and although it could lead to an enforcement action by the agency, such steps are rare. An earlier SEC investigation into a 2013 breach at Target did not lead to a punishment of the retailer, even though the incident affected tens of millions of customer accounts. The SEC declined to comment for this article.
Shortly after Yahoo made its discovery of the 2014 hack public, critics called on the SEC for a deeper look at the company’s conduct. In September, Sen. Mark R. Warner (D-Va.) said in a letter to the agency that Americans had the right to know “what senior executives at Yahoo knew of the breach, and when they knew it.”
Yahoo declined to comment for this article, pointing to regulatory filings that say the company is cooperating with government officials – including those from the SEC – examining the hack.
But the investigation’s implications stretch far beyond Yahoo’s immediate business. It also raises fresh questions for the telecommunications giant Verizon, which is in the midst of a $4.8 billion deal to acquire the former Web titan.
“I think it’s going to get a lot uglier for Yahoo going forward over the next year,” said Jeff Kagan, an independent technology and telecom analyst.
Verizon declined to comment. But executives have voiced strong concerns about the hacks, signaling in October that they may have had a significant impact on Yahoo’s core business. Analysts say that a concrete finding of that sort by Verizon could allow it to renegotiate terms or even abandon the purchase.
Verizon had expected the deal to close in the first quarter. But in its quarterly earnings report Monday, Yahoo said that it now expects the deal to close “as soon as practicable” in the second quarter, citing “work required to meet closing conditions.”
In the same report, Yahoo chief executive Marissa Mayer said that attempts to improve the company’s security posture were ongoing. About 9 in 10 of the company’s daily users have already beefed up their account security by changing their passwords or taking similar steps, or never needed to in the first place, according to the earnings report.
The fate of the deal remains in doubt as Marni Walden, Verizon’s president of product innovation and new businesses, said this month that she was unsure whether it would go through.
“I can’t sit here today and say with confidence one way or another, because we still don’t know,” she told an investor conference.
Yahoo shares closed up 0.83 percent Monday.