Yahoo's Silence About Hack in SEC Filing for Verizon Sale May Cause It Trouble

Advertisement
By Hayley Tsukayama, The Washington Post | Updated: 25 November 2016 17:21 IST
Highlights
  • Yahoo said it learned of its recent huge breach in August
  • Yahoo said it launched two different hack investigations this summer
  • SEC to investigate Yahoo's September 9 proxy filing
Yahoo's Silence About Hack in SEC Filing for Verizon Sale May Cause It Trouble

Yahoo said it learned of its recent huge breach, which affected more than 500 million user accounts, in August.

Yet on September 9 - after it started its investigation - the company said in a regulatory filing that it was not aware of "any incidents of, or third party claims alleging" security breaches, "unauthorised access or use" of its information technology systems or misuse of personal information that could significantly impact its business.

This apparent conflict between when it learned about the breach and what it filed with the Securities and Exchange Commission about its proposed sale to Verizon has raised questions about what the tech company knew and when.

Companies are required to tell the SEC about events that any "reasonable investor would consider important in an investment decision," according to the agency. Independent security experts who looked at the proxy filing say that the company could be on shaky ground if it comes to light that it in any way understood the seriousness of the breach when it made that statement.

Advertisement

Yahoo was very careful in the wording of its September 9 filing, said Kim Phan, a District of Columbia-based lawyer specializing in data and privacy security at Ballard Spahr. "Looking at their exact statement in their filing, they are very specific - they say 'to our knowledge' we don't know this was a breach," Phan said. "From a legal perspective, it's not deceptive. However, it doesn't mean that they were fulfilling the spirit of the law."

(Also see: Yahoo Hack Was Not State-Sponsored, Claims Security Firm)

Yahoo said it launched two different hack investigations this summer. The first one was in July but had no "direct connection" to the breach of 500 million user accounts. It found no evidence of that alleged hack and closed its probe, the company said.

Advertisement

"In late August, Yahoo chose to begin a separate, comprehensive security investigation," Yahoo said in a statement to The Post. "That investigation, which is ongoing, eventually resulted in the information that was shared publicly on September 22."

However, that still places the proxy filing - and Yahoo's claim that it had no knowledge of a serious breach - after the start of the company's investigation in August.

Advertisement

Yahoo declined to elaborate on the September 9 filing. The SEC declined to comment.

The tech giant is already facing calls for closer scrutiny into the way it reported the breach. Sen. Mark Warner, D-Virginia, on Monday called on the SEC to investigate whether Yahoo failed to fulfill its legal obligations to shareholders and consumers in light of the massive breach that exposed the information of 500 million user accounts.

"I've been on public corporate boards and don't see how anyone wouldn't view this as a material fact," Warner, a former technology executive, said in an interview with The Post on Tuesday.

The question of whether an investigation with serious concerns of a breach can be enough cause for disclosure is difficult to answer, experts said.

The standard for reporting a breach, Phan said, is whether there could be material harm to a company. For example, if proprietary information central to a company's business model were stolen, then that could be considered material harm. Another example is anything that can significantly damage the reputation of the company. But harm can be difficult to evaluate, particularly if a breach is caught and contained quickly.

"There's a risk to reporting," she said, citing bad press around a breach, even if the intrusion itself doesn't cause the company much harm. "While companies are being too conservative about reporting, they don't always need to report everything."

Companies can also sometimes be asked by law enforcement not to disclose breaches, experts said, to avoid disrupting ongoing investigations.

"Yahoo has been stingy with the facts, but this may be at the request of US law enforcement or the intelligence community," said Leo Taddeo, a former special agent in charge of the FBI's New York cybercrime office and now chief security officer at security firm Cryptzone. "Otherwise, the hackers may get tipped off to the US government's sources and capabilities."

(Also see: US Senators Accuse Yahoo of 'Unacceptable' Delay in Breach Discovery

Yahoo's case especially stands out because of its circumstances. Yahoo is in the midst of a sale, after all, and its statement that it had no knowledge of the breach was made in a proxy filing - something experts say is unusual. If Yahoo wanted to disclose a breach, it would have done so in a separate filing, as it did on September 22.

Whether its language in the proxy filing will lead to an SEC investigation remains unclear.

Since offering its guidance on disclosing breaches in 2011, the SEC has not penalized any company for failing to do so. And several companies do not report breaches, Phan said. Sony, for example, which suffered an extensive breach of its records in 2014, never filed a notice with the SEC over that incident.

That, according to Warner, is also a problem.

Yahoo, he said, is just the latest example to illustrate that the current regulatory framework needs work. "This shows that this is an area that's changing faster than rules and technology can keep up with," he said. "If this kind of massive breach doesn't spur us on, I don't know what will."

© 2016 The Washington Post

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Poco F7 5G to Launch in India and Global Markets on This Date
  2. OnePlus Nord 5 and Nord CE 5 Colour Options, Key Features Leaked
  3. Trump Mobile T1 Phone With 5,000mAh Battery Announced; See Price, Features
  4. Samsung Galaxy Watch 8 Series Design Revealed in New Leaked Renders
  5. OnePlus 15 May Get a Big Design Overhaul
  6. Hisense U7Q Mini-LED TV Launched in India With These Features
  7. Prince of Persia: Sands of Time Remake Is "Deep" in Development, Says Ubisoft
  8. Oppo Reno 14 5G Series, Watch X2 Mini, Enco Buds 3, Pad SE to Launch Globally
  9. Meta Partners With Oakley for New Smart Glasses; to Launch on June 20
  10. Samsung Galaxy S25 Ultra Price in India Discounted for a Limited Time
  1. Google Unveils India-Focused Safety Charter, Shares How It Is Using AI to Combat Online Frauds and Scams
  2. Realme Buds Wireless 5 Lite India Launch Date Set for June 23; Availability Details, Key Features Revealed
  3. Prince of Persia: Sands of Time Remake Remains "Deep" in Development, Says Ubisoft
  4. Trump Mobile T1 Smartphone With 6.8-Inch Display, 5,000mAh Battery Announced; Price, Specifications
  5. Samsung Galaxy S25 Ultra Price in India Discounted for a Limited Time: Check Offers, Availability
  6. Poco F7 5G India Launch Date Set for June 24; to Debut in Global Markets On the Same Day
  7. Meta AI App Now Shows a Warning Message to Dissuade Users from Publicly Sharing Private Chats
  8. OnePlus Pad Lite, OnePlus Watch 3 43mm to Launch on July 8 Alongside Nord 5 Series
  9. Samsung Galaxy Watch to Get Bedtime Guidance, Vascular Load Features With One UI 8 Watch Update
  10. OnePlus Nord 5 and Nord CE 5 Colour Options, Key Specifications Leaked
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.