These days the news of yet another major information hack of a large tech company doesn’t come as much of a surprise. With such valuable information available, and hackers becoming ever more creative when it comes to finding ways of obtaining this sensitive material, data breaches have become less a matter of if, and more of when.
However, the most recent major data hack of Yahoo—which reportedly resulted in the personal data of half a billion users being stolen by “state-sponsored” hackers—was notable not because of the hack itself, but because of the troubling way that Yahoo responded (or in this case, didn’t) to it. Already struggling as a company, Yahoo was recently bought by Verizon after struggling to reboot the company under Marisa Mayer. It has now come to light that it took them two years to disclose that the company had suffered a major breach, and many are wondering what took them so long.
According to reporting by Reuters, “The internet firm has said it detected the breach this summer after conducting a security review prompted by an unrelated hacking claim that turned out to be meritless. Yahoo has not given a precise timeline explaining when it was made aware of the 2014 attack, or if it knew of the breach before announcing the deal with Verizon in late July.”
In a letter to Marisa Mayer from six American congressmen, the lawmakers openly questioned the ethics of a company that went through a major merger without disclosing that this hack had happened. “That means millions of Americans’ data may have been compromised for two years,” wrote the senators to Marisa Mayer. “This is unacceptable.”
All of this begs the question: what is a company like Yahoo’s responsibility when it comes to a large hack such as this one? And more importantly, what should be their punishment, if any, for failing to disclose that the hack took place?
It has yet to be determined if Yahoo was aware of the hack and chose not to disclose it, or if they did not learn of the attack until long after it happened. Either way, it demonstrates gross negligence for a company that is already struggling to gain back user trust and confidence. While the Securities and Exchange Commission in America puts forth guidance for companies regarding how to deal with disclosure in the aftermath of an attack, Yahoo has yet to be transparent. That’s why some are calling for the SEC to “investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the hacking attack.”
This incident really shows that national laws need to be established which oblige companies to full disclosure in the wake of such an attack. If Yahoo really did not know for two entire years that half a billion users had been affected by a hack, that it’s only fair that the company pay for that failure in terms of its stock price and usership decline. Allowing them to hide behind vague timelines and so-called confidentiality measures only enables tech companies like that from having lax oversight.
For now, it remains to be seen if Yahoo will face any serious legal charges in the wake of their apparent negligence. However, as Fortune reported, “While the merger [with Verizon] was considered to be a done deal as of the last week, there are signs Verizon could walk away due to the breach.” The SEC and lawmakers would do well to make an example out of Yahoo in this case though, unless they want to see similar hacks dealt with in such a careless way from other companies in the future.