Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:40 PM
Connect Directly

SEC Investigates Yahoo Data Breaches

Report of an SEC probe of Yahoo serves as a new wake-up call for companies to properly disclose breaches in their earnings reports and disclosures.

The Securities and Exchange Commission (SEC) has reportedly launched an investigation to determine whether Yahoo waited too long before sharing with investors that it had been hit with two major data breaches.

Businesses are required by the SEC to report cyber-risks as soon as they are believed to affect investors. The Wall Street Journal, citing sources familiar with the matter, reports the SEC requested documents in December as part of an inquiry into whether Yahoo obeyed these laws.

Investigators are likely looking into Yahoo's 2014 data breach, which exposed the account information of 500 million users. Yahoo waited two years before disclosing the breach in September 2016, and it botched the delivery.

"They did an awful job at breach notification," says Jeff Pollard, principal analyst at Forrester, of Yahoo's public handling of the data breach. Yahoo's language and communication channels were poorly chosen, he explains, and there was little emphasis on the victims whose data was compromised.

"There was a lot of discussion about Yahoo, but not a lot of discussion about Yahoo users," Pollard notes. The disclosure of an August 2013 breach, which exposed the data of more than 1B users, was "a bit better" when Yahoo made the announcement in December 2016.

However, there is room for improvement. The results of this investigation could have long-term implications for all organizations affected by cybercrime.

"By 2016, data breaches have become common," says Pollard. "That's a sad fact, but it's also true. The bar has been raised for what a good response, and good [customer] notification, looks like."

The current SEC investigation is a signal that cybersecurity is an issue that must be discussed as businesses prepare earnings reports and disclosures, for instance. From a regulatory perspective, he continues, it's a topic nobody can avoid.

As cyber threats continue to grow, companies will be forced to think about how they're investigating data breaches and communicating their findings. Their strategies can affect both brand resilience and customer trust.

How long should companies wait before disclosing security breaches? This will be a difficult question to answer as they balance the importance of a thorough investigation with customer needs.

"It's tough to say you should notify customers quickly because you want to be as thorough as possible," says Pollard. "At the same time, you have an obligation. Once you have some degree of information that allows you to understand how customers and partners might be affected, you should notify them."

It's worth noting that Yahoo disclosed both the 2013 and 2014 data breaches after it agreed to sell core businesses to Verizon last summer, which some experts believe is part of the reason its breaches have become so highly publicized.

"Yahoo is having all this play out in the headlines because of their name and the Verizon deal," says Jonathan Sander, vice president of product strategy at Lieberman Software. "It's all too likely that any IT shop could find themselves in the same boat if they came under this level of scrutiny."

Pollard also questions whether the SEC would be digging into Yahoo's data breaches if not for the potential size of its Verizon deal. Regardless of its outcome, he says, if the legal system begins to consider cybersecurity a material matter, it will inform regulatory bodies they need to think about it as well.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/26/2017 | 5:56:36 PM
Do we need a US version of GDPR?
The penalty for such breaches and lack of their disclosure for two years would be significant after May 2018 in Europe.  It is also surprising that with all that is found on the dark net companies would avoid disclosing. Or maybe they really had no idea they had been breached? We may not ever know but a fact is regulations will tighten to avoid such avoidance of disclosure.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 1...
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.