Commerce Committee Leaders Seek Answers on Yahoo! Data Security Incidents

February 10, 2017

WASHINGTON – U.S. Sens. John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, and Jerry Moran (R-Kan.), chairman of the Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee, today asked Yahoo! CEO Marissa Mayer to answer questions about multiple data security incidents Yahoo! disclosed over the past few months, including what steps Yahoo! has made to “identify and mitigate potential consumer harm.”

“Despite several inquiries by Committee staff seeking information about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches,” said Thune and Moran in the letter. “Moreover, Yahoo!’s recent, last-minute cancellation of a planned congressional staff briefing, originally scheduled for January 31, 2017, has prompted concerns about the company’s willingness to deal with Congress with complete candor about these recent events. We hope that you will dispel these concerns.”

Thune and Moran’s letter asks Mayer to provide answers to the following questions no later than February 23:

1.    With respect to both the 2013 and 2014 incidents, how many users do these incidents affect?  Please describe Yahoo!’s efforts to identify and provide notice to these users.
2.    With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised?  Does the data include sensitive personal information?
3.    What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?
4.    What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents?
5.    In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo!’s initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers.

The Senate Commerce Committee exercises legislative and oversight jurisdiction over issues related to the internet, data security, and consumer protection issues. Click here for the full letter to Mayer.