Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com)

Posted by msmash on from the tell-me-why dept.

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.

45 of 72 comments (clear)

  1. Yawho? by tripleevenfall · · Score: 4, Funny

    Sources say nothing of value was lost, as the breach only impacts people who still use Yahoo.

    1. Re:Yawho? by sbrown7792 · · Score: 4, Funny

      the breach only impacts people who still use Yahoo.

      Right, the senators were impacted and that's why they care.

    2. Re:Yawho? by davester666 · · Score: 2

      Really? They managed to migrate from AOL?

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:Yawho? by RavenLrD20k · · Score: 4, Informative

      We're talking about senators here... you can't spew that much bullshit without having impacted bowels.

      Oh, by the way: your attempt at pedantry fails as a secondary definition for impacted literally means "strongly affected by something." Or, to see for yourself read #9 on the linked page. Also; by literally I mean that to be without exaggeration or inaccuracies.

  2. They could start forcing password resets by sims+2 · · Score: 1

    They could start forcing password resets like ebay did.

    That would be a start.

    --
    Minimum threshold fixed. Thanks!
    1. Re:They could start forcing password resets by sims+2 · · Score: 1

      No I haven't changed my yahoo password since sometime around Y2K it says "Make sure your account is secure!
      To secure your account, change your password and update your mobile number.

      And it gives me two options
      "Yes, secure my account"
      and
      "I'll secure my account later"

      It may just not care because I have 2FA enabled but still.

      --
      Minimum threshold fixed. Thanks!
  3. No authority by mveloso · · Score: 5, Insightful

    The Senate has no authority over Yahoo. Why does the Senate care how long it takes to report a data breach?

    If they want, they can write a law and grant that authority to an agency.

    1. Re:No authority by Anonymous Coward · · Score: 1

      It makes them look like they do something useful between golf games and vacations. If they were paid only for their productivity, they'd be on welfare and food stamps.

    2. Re:No authority by 110010001000 · · Score: 3, Insightful

      "If they want, they can write a law and grant that authority to an agency."

      Yes. That is the next step.

    3. Re:No authority by squiggleslash · · Score: 2

      Yes, the Senate shouldn't ask for information before considering laws, it should just rule from the gut, right?

      It would be so much better for the above Senators to simply propose the "Cut All Sysadmin's Goolies Off Act 2016", pass it, and then move on to the next thing...

      --
      You are not alone. This is not normal. None of this is normal.
    4. Re:No authority by bsolar · · Score: 2

      As far as I understand in most US states there are actually already data breach laws which require companies to notify users if their data is known or believed to be breached, with delayed notification allowed only if law enforcement requires it to facilitate the investigation.

    5. Re:No authority by jellomizer · · Score: 1

      People are scared, if they don't give them lip service, then they may not get elected .

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re:No authority by Anonymous Coward · · Score: 1

      I'd prefer they ask for information from someone who didn't fail the hardest of anyone who has ever failed. Basically anyone else in the industry at all would be a better jumping off point. Then they could go from there.

    7. Re:No authority by h4ck7h3p14n37 · · Score: 1

      Some industries have more stringent reporting requirements than others.

      For example, the U.S. Department of Health and Human Services Office for Civil Rights maintains a site where they post any personal healthcare information breaches affecting 500 or more individuals.

    8. Re:No authority by Anubis+IV · · Score: 1

      Just because the Senate hasn't enacted a law yet doesn't mean that individual Senators can't express their opinion that the current state of things is unacceptable. This is the first step towards them making a more serious push into establishing a national law, rather than leaving it up to the states to hodge-podge the laws together, as has been the case up to this point.

      Plus, some of those Senators are from states that have security breach notification laws on the books, so they may have a more personal interest in why Yahoo failed to abide by the laws of their states, since they have constituents calling up and asking them to put pressure on Yahoo. Even if the Senators may not be able to take direct action, they likely can take indirect action to affect change. After all, most of them are pretty good at navigating politics to their advantage.

    9. Re:No authority by Bob+the+Super+Hamste · · Score: 2

      Sometimes there are industry regulations that have the backing of laws that demand reporting at specific stages. That is the set of requirements I am most familiar with and violations of NERC CIP can be absolutely devastating to a company reaching to $1,000,000 a day for violations.

      --
      Time to offend someone
    10. Re:No authority by organgtool · · Score: 2

      If they want, they can write a law and grant that authority to an agency.

      As much as I like some of the senators imposing these questions, let's be honest: no new legislation will be proposed, let alone voted down. Like all of the other congressional inquisitions and hearings that have occurred recently, the senators will jump up and down and screech like a gang of wild monkeys but in the end absolutely nothing will change.

    11. Re:No authority by bfpierce · · Score: 2

      Maybe you're unfamiliar, so I'll help you out here.

      Senators represent people from their state, so when something happens to the people (like for instance a company gets breached but doesn't bother to let anybody know about it for 2 years) in said states they have a duty to pitch a fit about it. That's the entire point of their jobs, in fact.

      They said it's 'unacceptable', and it fucking damn right is unacceptable for a technology company to wait 2 fucking years to report a data breach.

    12. Re:No authority by Spyder · · Score: 1

      If they want, they can write a law and grant that authority to an agency.

      In the case of the TJX brief, we found out in SEC disclosures in their 8-K filings. We have generally understood that a significant breach is a material corporate disclosure. So yeah, they wrote a law.

      --
      Spyder
  4. Re:Why bother? by tripleevenfall · · Score: 1

    How many of these Congrescritters are in bed with Google/Alphabet? Follow the money.

  5. More to the point by ThatsNotPudding · · Score: 2

    With respect to the proposed sale of the company, it was out-and-out fraud.

    But, in the good old U S of Kleptocracy, crooked CEOs don't get prosecuted, let alone convicted.

    1. Re:More to the point by DarkOx · · Score: 2

      fraud was it? You are required to disclose know problems with most assets prior to sale, at least to the degree you are not misrepresenting the nature of thing.

      If I sold you a car and did not mention that when I had the head off the other weekend I noticed the block was cracked that would be fraud. On the other hand if I fail to mention its due of an oil change nobody is going to come after me for violating a lemon law let alone fraud.

      This is where the wicket gets sticky with Yahoo! Is a data breach a serious impairment? I mean with the exception of Avid Life Media most companies end up not being really harmed from a PII related breach. Look at all the retailers that have bounced back just fine, look at the social media platforms, etc. Its a short term problem most of the time. Any of the security professionals will tell you its not if but when you are breached anyway. So if "it happens to everyone" and you are not an especially sensitive use case should have to disclose a breach at all? I would argue: No!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:More to the point by bfpierce · · Score: 1

      Consider that when you buy something like Yahoo, it's not their technology you're purchasing, it's the user base you're after, I'd argue the complete opposite.

    3. Re:More to the point by NotAPK · · Score: 1

      "If I sold you a car and did not mention that when I had the head off the other weekend I noticed the block was cracked that would be fraud. On the other hand if I fail to mention its due of an oil change nobody is going to come after me for violating a lemon law let alone fraud."

      Look into the exceptions available to real estate agents regarding reporting on the fitness of a property for sale. Somehow they can get out of telling you that there are problems with the property.

      By your definition this is fraud. Why aren't all the realtors in gaol? Think how much better society could be if they were?

    4. Re:More to the point by DarkOx · · Score: 1

      That is my point though, the users don't really leave. You have to offer them some token credit monitoring or something for a few months and 80% probably would not even change their password if you did not make them. They certainly are not moving their e-mail and web searches elsewhere.

      So the value of Yahoo! isn't actually impaired by the breach at all. Basically the attitude should be "breach smeach"

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  6. Unethical by sentiblue · · Score: 1

    I asked the same question.....

    Although my Y! account hasn't been in use for years and that would pose zero threat to me... I still asked the same question when I heard about the breach.... Why would such a large corporation do such a stupid thing? Now that they've been able to keep it under secrecy for two years, why announce it now?

    Did Marissa think enforcing the password change now will some how fix something? The hackers had two years to go through every single piece of data... It doesn't matter if they enforce a password change now... the only difference this makes is that the entire upper management and the board look so stupid that after Y! goes bankrupt, none of them will ever get a management job anywhere else!!!

    1. Re:Unethical by Vlad_the_Inhaler · · Score: 1

      Two points here:
      - I live under a rock but I still knew about the breach months ago, there was an article here about the hack and I passed it on to a Yahoo Group I am a member of.
      - Yahoo themselves are claiming that it was something along the lines of a state-sponsored group which hacked them. Well, they would say that - there is very little shame associated with being hacked by a top group of hackers with huge funds. Personally I doubt it but you never know, and Yahoo probably don't know either.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    2. Re:Unethical by poofmeisterp · · Score: 1

      I asked the same question.....

      Although my Y! account hasn't been in use for years and that would pose zero threat to me... I still asked the same question when I heard about the breach.... Why would such a large corporation do such a stupid thing? Now that they've been able to keep it under secrecy for two years, why announce it now?

      Did Marissa think enforcing the password change now will some how fix something? The hackers had two years to go through every single piece of data... It doesn't matter if they enforce a password change now... the only difference this makes is that the entire upper management and the board look so stupid that after Y! goes bankrupt, none of them will ever get a management job anywhere else!!!

      If the company goes bankrupt, it's one less pain in the ass for her to deal with, cuz, ya know, no one else wants to buy it. She's already got the money she needs from it saved up, laundered, off-shored, dried, pressed, laundered again, swabbed, and put into a bank account in a tree trunk in the Amazon. *zip*

  7. 2 years by Oswald+McWeany · · Score: 5, Funny

    It took them 2 years to report the breach because they were using the Yahoo search engine to try and find the appropriate people to report the breach to.

    --
    "That's the way to do it" - Punch
  8. simple solutions by micahraleigh · · Score: 1

    Since Yahoo! didn't build that, Elizabeth Warren and the other advanced senators should just whip up their version of Yahoo!.

    Also, they will be able to use the diversity of Senator Warren's rich and VERY REAL ancestry to make it happen. Harvard understood this and so should everyone else.

    People will be jumping over each other to use gov Yahoo! just like healthcare.gov.

  9. Why is this a big deal? by NoOneInParticular · · Score: 1

    As it seems to be perfectly legit in the US for companies to sell data on their servers to anyone that wants to pay money for it, why are they now in trouble? They got robbed, why blame them?

  10. stupid. by Gravis+Zero · · Score: 2

    It's stupid to expect companies to do what is right and ethical. This is why we have so many laws that mandate businesses do certain things. If they aren't legally required to do it and it won't make them money, they aren't going to do it until it becomes a problem for them.

    --
    Anons need not reply. Questions end with a question mark.
  11. The latest? Really? by Calydor · · Score: 1

    This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,

    No, it was actually one of the first really big breaches considering it happened two years ago rather than last week.

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:The latest? Really? by poofmeisterp · · Score: 1

      This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,

      No, it was actually one of the first really big breaches considering it happened two years ago rather than last week.

      Wait, wait, wait a second here. Was that the one after the first one, which was the one before the second but between the complete one 4 years ago, and before the one two years ago, but after the harvesting started on the one from last week? Or was it the last week before the one two years ago which was after 4 years ago? Gee, all of this information has got me confused. I guess I'll just go watch some more videos on th... ooooooooh shiny.

  12. Grandstanding by BoberFett · · Score: 1

    I'm having trouble finding specific timelines for this, but from the sounds of it the breach began two years ago and they only recently discovered and disclosed it.

    So these esteemed *barf* senators are upset that it took so long to notice the breach? Were they that upset when it was discovered the the government run OPM database had been compromised for YEARS?

    Political grandstanding by a bunch of useless dipshits.

    1. Re:Grandstanding by poofmeisterp · · Score: 1

      I'm having trouble finding specific timelines for this, but from the sounds of it the breach began two years ago and they only recently discovered and disclosed it.

      So these esteemed *barf* senators are upset that it took so long to notice the breach? Were they that upset when it was discovered the the government run OPM database had been compromised for YEARS?

      Political grandstanding by a bunch of useless dipshits.

      One of them probably has a yahoo address with pictures of the mistress. Did I say THE mistress? I'm so sorry.. big slip there. Heh. The first set of mistresses.

  13. Dont fuck with the feds. by TiggertheMad · · Score: 2
    What exactly are they going to do besides hem and haw at this?

    They will hold a senate investigation into the matter, which anyone in the right mind should be terrified of. They will start issuing subpoenas to people in charge at Yahoo, and start asking them questions on national t.v., (which will likely be embarrassing and detrimental to Yahoo's stock price and reputation). Provided that nobody tries to cover anything up (Federal prison time for lying under oath to a senate investigation), the company might get off with a reprimand, provided that there aren't any laws that were discovered to have been broken. But Senators aren't going to sign up for this investigation to NOT prosecute people for covering this up, so they will be out for blood. There is a good chance that something will have been done wrong, and some larges fines will be implemented.

    I predict that there will be a number of c-level and VP early 'retirements', when yahoo's board of directors boots people for putting them in the spotlight like that. Following the investigation, expect a few new federal hacking disclosure laws to hit the books next year. This will probably not go well for Yahoo, short their stock now.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  14. Re:Nice job, Marissa by NotAPK · · Score: 1

    Can't wait for her to break out into soft-core porn to make ends meet.

  15. Web 2.0 by Wingsy · · Score: 1

    It's only a matter of time before we rip out the internet as we know it and migrate to version 2.0.

    --
    If I didn't have absolutely NOTHING to do, I wouldn't be here.
    1. Re:Web 2.0 by poofmeisterp · · Score: 1

      It's only a matter of time before we rip out the internet as we know it and migrate to version 2.0.

      Putin started already by creating the bugless Microsoft replacement. *cough* Looks like it's the Next Race(tm). Wait, Race sounds bad.. The Next Competitive Head-to-Head Activity Between Two Parties to See Which One's Parts Can Finish the Job First by Changing the Context Completely(sm).

      Yes, that. I think.

  16. Apparently it's different when the NSA does it by Anonymous Coward · · Score: 2, Insightful

    That means millions of Americans' data may have been compromised for two years.

    Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.

    This isn't to absolve Yahoo! of its wrongdoing. It certainly should have been more diligent in disclosure. But to me, the differences are pretty clear. You could never have done business with Yahoo! and while it sucks a lot for the people harmed, you can not do business with Yahoo! in the future as well. Once the data's out there, the harm's pretty much been done. There's not a lot that anybody can do regardless of being notified or not. They can change their passwords and hope the effort is too much to make them interesting.

    The NSA, on the other hand... you can't avoid "doing business" with them in the past or in the future, the data's been sucked up for decades (and this is going to start causing some serious shadow problems within the next 15-30 years as the previous generation(s) of lawmakers, law enforcers, and law upholders dies off - information never stopped being power and that means that the NSA has significant leverage on anyone and everyone), and no amount of anything you can personally do except go find a remote forest and forage out of it is going to protect you.

    This idea that the government is going to save us from anything by forcing a company to be a bit swifter on the uptake is repugnant.

    1. Re:Apparently it's different when the NSA does it by poofmeisterp · · Score: 1

      That means millions of Americans' data may have been compromised for two years.

      Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.

      This isn't to absolve Yahoo! of its wrongdoing. It certainly should have been more diligent in disclosure. But to me, the differences are pretty clear. You could never have done business with Yahoo! and while it sucks a lot for the people harmed, you can not do business with Yahoo! in the future as well. Once the data's out there, the harm's pretty much been done. There's not a lot that anybody can do regardless of being notified or not. They can change their passwords and hope the effort is too much to make them interesting.

      The NSA, on the other hand... you can't avoid "doing business" with them in the past or in the future, the data's been sucked up for decades (and this is going to start causing some serious shadow problems within the next 15-30 years as the previous generation(s) of lawmakers, law enforcers, and law upholders dies off - information never stopped being power and that means that the NSA has significant leverage on anyone and everyone), and no amount of anything you can personally do except go find a remote forest and forage out of it is going to protect you.

      This idea that the government is going to save us from anything by forcing a company to be a bit swifter on the uptake is repugnant.

      Clearly they've been doing research on the first, second, and third potential compromised states of their data, so really, there's nothing to report until the research is completed.........

      I don't think I'm allowed to put enough periods at the end of that sentence.

  17. Finally! Fiscal Responsibility! by The_Revelation · · Score: 1

    Yahoo can and should take fiscal responsibility for any users who suffered financial hardship as a result of not being informed their details have been out in the wild for over two years, I guess in addition to any international governments who have had to pay insurance on stolen funds etc.

    1. Re:Finally! Fiscal Responsibility! by poofmeisterp · · Score: 1

      Yahoo can and should take fiscal responsibility for any users who suffered financial hardship as a result of not being informed their details have been out in the wild for over two years, I guess in addition to any international governments who have had to pay insurance on stolen funds etc.

      Heh. Prove it.

      I had to put protection on all three credit "bureaus" because my information was compromised but the idiot that did it didn't know my current address. I'd like to see the argument from Y! on me storing the first 3 of my SSN in one email 10+ years ago, the last part 12+ years ago, and my then different addresses of living over the span of 15 years being a violation of their agreement for me to "not send personal information through their server(s) etc etc".

  18. Hmmm...all Democrat Senators... by erp_consultant · · Score: 1

    Yahoo gives lots of money to the Democrat party. My prediction? This will be a complete farce with nothing of consequence coming from it. But Franken, et al will get tons of mileage from it by appearing to go after "big business". Nothing to see here. Thanks for playing.