Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com)

Posted by msmash on from the tell-me-why dept.

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.

17 of 72 comments (clear)

  1. Yawho? by tripleevenfall · · Score: 4, Funny

    Sources say nothing of value was lost, as the breach only impacts people who still use Yahoo.

    1. Re:Yawho? by sbrown7792 · · Score: 4, Funny

      the breach only impacts people who still use Yahoo.

      Right, the senators were impacted and that's why they care.

    2. Re:Yawho? by davester666 · · Score: 2

      Really? They managed to migrate from AOL?

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:Yawho? by RavenLrD20k · · Score: 4, Informative

      We're talking about senators here... you can't spew that much bullshit without having impacted bowels.

      Oh, by the way: your attempt at pedantry fails as a secondary definition for impacted literally means "strongly affected by something." Or, to see for yourself read #9 on the linked page. Also; by literally I mean that to be without exaggeration or inaccuracies.

  2. No authority by mveloso · · Score: 5, Insightful

    The Senate has no authority over Yahoo. Why does the Senate care how long it takes to report a data breach?

    If they want, they can write a law and grant that authority to an agency.

    1. Re:No authority by 110010001000 · · Score: 3, Insightful

      "If they want, they can write a law and grant that authority to an agency."

      Yes. That is the next step.

    2. Re:No authority by squiggleslash · · Score: 2

      Yes, the Senate shouldn't ask for information before considering laws, it should just rule from the gut, right?

      It would be so much better for the above Senators to simply propose the "Cut All Sysadmin's Goolies Off Act 2016", pass it, and then move on to the next thing...

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:No authority by bsolar · · Score: 2

      As far as I understand in most US states there are actually already data breach laws which require companies to notify users if their data is known or believed to be breached, with delayed notification allowed only if law enforcement requires it to facilitate the investigation.

    4. Re:No authority by Bob+the+Super+Hamste · · Score: 2

      Sometimes there are industry regulations that have the backing of laws that demand reporting at specific stages. That is the set of requirements I am most familiar with and violations of NERC CIP can be absolutely devastating to a company reaching to $1,000,000 a day for violations.

      --
      Time to offend someone
    5. Re:No authority by organgtool · · Score: 2

      If they want, they can write a law and grant that authority to an agency.

      As much as I like some of the senators imposing these questions, let's be honest: no new legislation will be proposed, let alone voted down. Like all of the other congressional inquisitions and hearings that have occurred recently, the senators will jump up and down and screech like a gang of wild monkeys but in the end absolutely nothing will change.

    6. Re:No authority by bfpierce · · Score: 2

      Maybe you're unfamiliar, so I'll help you out here.

      Senators represent people from their state, so when something happens to the people (like for instance a company gets breached but doesn't bother to let anybody know about it for 2 years) in said states they have a duty to pitch a fit about it. That's the entire point of their jobs, in fact.

      They said it's 'unacceptable', and it fucking damn right is unacceptable for a technology company to wait 2 fucking years to report a data breach.

  3. More to the point by ThatsNotPudding · · Score: 2

    With respect to the proposed sale of the company, it was out-and-out fraud.

    But, in the good old U S of Kleptocracy, crooked CEOs don't get prosecuted, let alone convicted.

    1. Re:More to the point by DarkOx · · Score: 2

      fraud was it? You are required to disclose know problems with most assets prior to sale, at least to the degree you are not misrepresenting the nature of thing.

      If I sold you a car and did not mention that when I had the head off the other weekend I noticed the block was cracked that would be fraud. On the other hand if I fail to mention its due of an oil change nobody is going to come after me for violating a lemon law let alone fraud.

      This is where the wicket gets sticky with Yahoo! Is a data breach a serious impairment? I mean with the exception of Avid Life Media most companies end up not being really harmed from a PII related breach. Look at all the retailers that have bounced back just fine, look at the social media platforms, etc. Its a short term problem most of the time. Any of the security professionals will tell you its not if but when you are breached anyway. So if "it happens to everyone" and you are not an especially sensitive use case should have to disclose a breach at all? I would argue: No!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  4. 2 years by Oswald+McWeany · · Score: 5, Funny

    It took them 2 years to report the breach because they were using the Yahoo search engine to try and find the appropriate people to report the breach to.

    --
    "That's the way to do it" - Punch
  5. stupid. by Gravis+Zero · · Score: 2

    It's stupid to expect companies to do what is right and ethical. This is why we have so many laws that mandate businesses do certain things. If they aren't legally required to do it and it won't make them money, they aren't going to do it until it becomes a problem for them.

    --
    Anons need not reply. Questions end with a question mark.
  6. Dont fuck with the feds. by TiggertheMad · · Score: 2
    What exactly are they going to do besides hem and haw at this?

    They will hold a senate investigation into the matter, which anyone in the right mind should be terrified of. They will start issuing subpoenas to people in charge at Yahoo, and start asking them questions on national t.v., (which will likely be embarrassing and detrimental to Yahoo's stock price and reputation). Provided that nobody tries to cover anything up (Federal prison time for lying under oath to a senate investigation), the company might get off with a reprimand, provided that there aren't any laws that were discovered to have been broken. But Senators aren't going to sign up for this investigation to NOT prosecute people for covering this up, so they will be out for blood. There is a good chance that something will have been done wrong, and some larges fines will be implemented.

    I predict that there will be a number of c-level and VP early 'retirements', when yahoo's board of directors boots people for putting them in the spotlight like that. Following the investigation, expect a few new federal hacking disclosure laws to hit the books next year. This will probably not go well for Yahoo, short their stock now.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  7. Apparently it's different when the NSA does it by Anonymous Coward · · Score: 2, Insightful

    That means millions of Americans' data may have been compromised for two years.

    Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.

    This isn't to absolve Yahoo! of its wrongdoing. It certainly should have been more diligent in disclosure. But to me, the differences are pretty clear. You could never have done business with Yahoo! and while it sucks a lot for the people harmed, you can not do business with Yahoo! in the future as well. Once the data's out there, the harm's pretty much been done. There's not a lot that anybody can do regardless of being notified or not. They can change their passwords and hope the effort is too much to make them interesting.

    The NSA, on the other hand... you can't avoid "doing business" with them in the past or in the future, the data's been sucked up for decades (and this is going to start causing some serious shadow problems within the next 15-30 years as the previous generation(s) of lawmakers, law enforcers, and law upholders dies off - information never stopped being power and that means that the NSA has significant leverage on anyone and everyone), and no amount of anything you can personally do except go find a remote forest and forage out of it is going to protect you.

    This idea that the government is going to save us from anything by forcing a company to be a bit swifter on the uptake is repugnant.