- Yahoo said it learned of its recent huge breach in August
- Yahoo said it launched two different hack investigations this summer
- SEC to investigate Yahoo’s September 9 proxy filing
Yahoo said it learned of its recent huge breach, which affected more than 500 million user accounts, in August.
Yet on September 9 – after it started its investigation – the company said in a regulatory filing that it was not aware of “any incidents of, or third party claims alleging” security breaches, “unauthorized access or use” of its information technology systems or misuse of personal information that could significantly impact its business.
This apparent conflict between when it learned about the breach and what it filed with the Securities and Exchange Commission about its proposed sale to Verizon has raised questions about what the tech company knew and when.
Companies are required to tell the SEC about events that any “reasonable investor would consider important in an investment decision,” according to the agency. Independent security experts who looked at the proxy filing say that the company could be on shaky ground if it comes to light that it in any way understood the seriousness of the breach when it made that statement.
Yahoo was very careful in the wording of its September 9 filing, said Kim Phan, a District of Columbia-based lawyer specializing in data and privacy security at Ballard Spahr. “Looking at their exact statement in their filing, they are very specific – they say ‘to our knowledge’ we don’t know this was a breach,” Phan said. “From a legal perspective, it’s not deceptive. However, it doesn’t mean that they were fulfilling the spirit of the law.”(Also see: Yahoo Hack Was Not State-Sponsored, Claims Security Firm)
Yahoo said it launched two different hack investigations this summer. The first one was in July but had no “direct connection” to the breach of 500 million user accounts. It found no evidence of that alleged hack and closed its probe, the company said.
“In late August, Yahoo chose to begin a separate, comprehensive security investigation,” Yahoo said in a statement to The Post. “That investigation, which is ongoing, eventually resulted in the information that was shared publicly on September 22.”
However, that still places the proxy filing – and Yahoo’s claim that it had no knowledge of a serious breach – after the start of the company’s investigation in August.
Yahoo declined to elaborate on the September 9 filing. The SEC declined to comment.
(Also see: Yahoo Hack: Ripple Effects Could Extend Well Beyond)
The tech giant is already facing calls for closer scrutiny into the way it reported the breach. Sen. Mark Warner, D-Virginia, on Monday called on the SEC to investigate whether Yahoo failed to fulfill its legal obligations to shareholders and consumers in light of the massive breach that exposed the information of 500 million user accounts.
“I’ve been on public corporate boards and don’t see how anyone wouldn’t view this as a material fact,” Warner, a former technology executive, said in an interview with The Post on Tuesday.
The question of whether an investigation with serious concerns of a breach can be enough cause for disclosure is difficult to answer, experts said.
The standard for reporting a breach, Phan said, is whether there could be material harm to a company. For example, if proprietary information central to a company’s business model were stolen, then that could be considered material harm. Another example is anything that can significantly damage the reputation of the company. But harm can be difficult to evaluate, particularly if a breach is caught and contained quickly.
“There’s a risk to reporting,” she said, citing bad press around a breach, even if the intrusion itself doesn’t cause the company much harm. “While companies are being too conservative about reporting, they don’t always need to report everything.”
Companies can also sometimes be asked by law enforcement not to disclose breaches, experts said, to avoid disrupting ongoing investigations.
“Yahoo has been stingy with the facts, but this may be at the request of US law enforcement or the intelligence community,” said Leo Taddeo, a former special agent in charge of the FBI’s New York cybercrime office and now chief security officer at security firm Cryptzone. “Otherwise, the hackers may get tipped off to the US government’s sources and capabilities.”
(Also see: US Senators Accuse Yahoo of ‘Unacceptable’ Delay in Breach Discovery)
Yahoo’s case especially stands out because of its circumstances. Yahoo is in the midst of a sale, after all, and its statement that it had no knowledge of the breach was made in a proxy filing – something experts say is unusual. If Yahoo wanted to disclose a breach, it would have done so in a separate filing, as it did on September 22.
Whether its language in the proxy filing will lead to an SEC investigation remains unclear.
Since offering its guidance on disclosing breaches in 2011, the SEC has not penalized any company for failing to do so. And several companies do not report breaches, Phan said. Sony, for example, which suffered an extensive breach of its records in 2014, never filed a notice with the SEC over that incident.
That, according to Warner, is also a problem.
Yahoo, he said, is just the latest example to illustrate that the current regulatory framework needs work. “This shows that this is an area that’s changing faster than rules and technology can keep up with,” he said. “If this kind of massive breach doesn’t spur us on, I don’t know what will.”
© 2016 The Washington Post