Yahoo indicated Wednesday at least some of its employees knew in 2014 about a state-sponsored intrusion that compromised more than 500 million accounts despite the incident not being publicly disclosed until roughly two years later.
In a filing made with the U.S. Securities and Exchange Commission this week, Yahoo said an internal review launched this summer has revealed that certain staffers knew about the massive security breach sometime in late 2014.
In July, Yahoo “intensified an ongoing broader review of the company’s network and data security, including a review of prior access to the company’s network by a state-sponsored actor that the company had identified in late 2014,” the filing said.
“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures and related incidents and issues,” Yahoo said.
That breach wasn’t revealed until September when Yahoo said it that a state-sponsored intrusion two years earlier had caused hackers to make off with the user names, email address, phone numbers, birth dates and password information for at least a half-billion account holders.
Verizon Communications had offered to buy Yahoo for $4.8 billion two months prior to the breach being disclosed, and Yahoo acknowledged in Wednesday’s filing that the incident may case the acquisition to evaporate.
There’s “no assurance” Verizon will follow through with the deal as planned, the filing said, and Verizon “may seek to terminate the stock purchase agreement or renegotiate the terms of the sale” because of the “security incident.”
At least 23 separate lawsuits have filed against Yahoo in the U.S. and abroad since the internet company announced the data breach Sept. 22, the SEC filing said. As of Sept. 30, Yahoo said expenses related to the breach had cost the company roughly $1 million.
Senate Democrats asked Yahoo CEO Marissa Mayer after the breach was announced for a timeline explaining when her company learned it was hacked and how it reacted afterwards, writing at the time that it would be “unacceptable” if Yahoo waited two years before disclosing details about the incident.
“This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,” a group of six Democrats led by Sen. Patrick Leahy of Vermont said in a letter to Ms. Mayer sent in late September. “Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”
Please read our comment policy before commenting.