Yahoo's Silence About Hack in SEC Filing for Verizon Sale May Cause It Trouble

Advertisement
By Hayley Tsukayama, The Washington Post | Updated: 25 November 2016 17:21 IST
Highlights
  • Yahoo said it learned of its recent huge breach in August
  • Yahoo said it launched two different hack investigations this summer
  • SEC to investigate Yahoo's September 9 proxy filing
Yahoo's Silence About Hack in SEC Filing for Verizon Sale May Cause It Trouble

Yahoo said it learned of its recent huge breach, which affected more than 500 million user accounts, in August.

Yet on September 9 - after it started its investigation - the company said in a regulatory filing that it was not aware of "any incidents of, or third party claims alleging" security breaches, "unauthorised access or use" of its information technology systems or misuse of personal information that could significantly impact its business.

This apparent conflict between when it learned about the breach and what it filed with the Securities and Exchange Commission about its proposed sale to Verizon has raised questions about what the tech company knew and when.

Companies are required to tell the SEC about events that any "reasonable investor would consider important in an investment decision," according to the agency. Independent security experts who looked at the proxy filing say that the company could be on shaky ground if it comes to light that it in any way understood the seriousness of the breach when it made that statement.

Advertisement

Yahoo was very careful in the wording of its September 9 filing, said Kim Phan, a District of Columbia-based lawyer specializing in data and privacy security at Ballard Spahr. "Looking at their exact statement in their filing, they are very specific - they say 'to our knowledge' we don't know this was a breach," Phan said. "From a legal perspective, it's not deceptive. However, it doesn't mean that they were fulfilling the spirit of the law."

(Also see: Yahoo Hack Was Not State-Sponsored, Claims Security Firm)

Yahoo said it launched two different hack investigations this summer. The first one was in July but had no "direct connection" to the breach of 500 million user accounts. It found no evidence of that alleged hack and closed its probe, the company said.

Advertisement

"In late August, Yahoo chose to begin a separate, comprehensive security investigation," Yahoo said in a statement to The Post. "That investigation, which is ongoing, eventually resulted in the information that was shared publicly on September 22."

However, that still places the proxy filing - and Yahoo's claim that it had no knowledge of a serious breach - after the start of the company's investigation in August.

Advertisement

Yahoo declined to elaborate on the September 9 filing. The SEC declined to comment.

The tech giant is already facing calls for closer scrutiny into the way it reported the breach. Sen. Mark Warner, D-Virginia, on Monday called on the SEC to investigate whether Yahoo failed to fulfill its legal obligations to shareholders and consumers in light of the massive breach that exposed the information of 500 million user accounts.

"I've been on public corporate boards and don't see how anyone wouldn't view this as a material fact," Warner, a former technology executive, said in an interview with The Post on Tuesday.

The question of whether an investigation with serious concerns of a breach can be enough cause for disclosure is difficult to answer, experts said.

The standard for reporting a breach, Phan said, is whether there could be material harm to a company. For example, if proprietary information central to a company's business model were stolen, then that could be considered material harm. Another example is anything that can significantly damage the reputation of the company. But harm can be difficult to evaluate, particularly if a breach is caught and contained quickly.

"There's a risk to reporting," she said, citing bad press around a breach, even if the intrusion itself doesn't cause the company much harm. "While companies are being too conservative about reporting, they don't always need to report everything."

Companies can also sometimes be asked by law enforcement not to disclose breaches, experts said, to avoid disrupting ongoing investigations.

"Yahoo has been stingy with the facts, but this may be at the request of US law enforcement or the intelligence community," said Leo Taddeo, a former special agent in charge of the FBI's New York cybercrime office and now chief security officer at security firm Cryptzone. "Otherwise, the hackers may get tipped off to the US government's sources and capabilities."

(Also see: US Senators Accuse Yahoo of 'Unacceptable' Delay in Breach Discovery

Yahoo's case especially stands out because of its circumstances. Yahoo is in the midst of a sale, after all, and its statement that it had no knowledge of the breach was made in a proxy filing - something experts say is unusual. If Yahoo wanted to disclose a breach, it would have done so in a separate filing, as it did on September 22.

Whether its language in the proxy filing will lead to an SEC investigation remains unclear.

Since offering its guidance on disclosing breaches in 2011, the SEC has not penalized any company for failing to do so. And several companies do not report breaches, Phan said. Sony, for example, which suffered an extensive breach of its records in 2014, never filed a notice with the SEC over that incident.

That, according to Warner, is also a problem.

Yahoo, he said, is just the latest example to illustrate that the current regulatory framework needs work. "This shows that this is an area that's changing faster than rules and technology can keep up with," he said. "If this kind of massive breach doesn't spur us on, I don't know what will."

© 2016 The Washington Post

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Vivo Y400 Pro 5G With 5,500mAh Battery Launched in India: Price, Features
  2. Oppo Reno 14 5G Series Global Launch Scheduled for This Date
  3. Samsung Galaxy S24 FE Gets a Price Cut on Amazon: See Offer
  4. Nothing Headphone 1 Renders Leaked Ahead of July 1 Launch: See Design
  5. iPhone 16 Pro, iPhone 16 Pro Max Price Discounted on Flipkart: See Offers
  6. Samsung Galaxy S25 FE Leaked Render Suggests Improved Design
  7. Vivo X Fold 5 India Launch Timeline Tipped: All Details
  1. Samsung Galaxy S24 FE Gets a Price Cut on Amazon: See Offer
  2. Samsung Galaxy Buds Core Listed on Company Site; Design, Specifications Revealed
  3. iPhone 18 Pro Series Tipped to Get Hole-Punch Selfie Camera, Hidden Face ID System
  4. iPhone 16 Pro, iPhone 16 Pro Max Available at Discounted Prices on Flipkart: See Offers
  5. Oppo Reno 14 5G Series Global Launch Date Announced; Amazon, Flipkart Tease Online Availability in India
  6. Gigabyte Aorus Master 16 AI PC With Intel Core Ultra 9 Chip, Up to GeForce RTX 5080 GPU Launched in India
  7. Google Suffers Setback in Fight Over EU’s EUR 4.1 Billion Fine
  8. Vivo X Fold 5 India Launch Reportedly Set for Mid-July
  9. Trump Extends Deadline for US TikTok Sale to September
  10. Nothing Headphone 1 Renders and Live Images Leak Ahead of July 1 Launch; Shows Unique Design
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.