Yahoo said it learned of its recent massive breach, which affected more than 500 million user accounts, in August.
Yet on Sept. 9 — after it started its investigation — the company said in a regulatory filing that it was not aware of "any incidents of, or third party claims alleging" security breaches, "unauthorized access or use" of its information technology systems or misuse of personal information that could significantly impact its business.
This apparent conflict between when it learned about the breach and what it filed with the Securities and Exchange Commission about its proposed sale to Verizon has raised questions about what the tech company knew and when.
Companies are required to tell the SEC about events that any "reasonable investor would consider important in an investment decision," according to the agency. Independent security experts who looked at the proxy filing say the company could be on shaky ground if it comes to light that it in any way understood the seriousness of the breach when it had made that statement.
Yahoo was very careful in the wording of its Sept. 9 filing, said Kim Phan, a D.C.-based lawyer specializing in data and privacy security at Ballard Spahr. "Looking at their exact statement in their filing, they are very specific — they say 'to our knowledge' we don’t know this was a breach," Phan said. "From a legal perspective, it’s not deceptive. However, it doesn’t mean that they were fulfilling the spirit of the law."
Yahoo said it launched two different hack investigations this summer. The first one was in July but had no "direct connection" to the massive breach of 500 million user accounts. It found no evidence of that alleged hack and closed its probe, the company said.
"In late August, Yahoo chose to begin a separate, comprehensive security investigation," Yahoo said in a statement to The Washington Post. "That investigation, which is ongoing, eventually resulted in the information that was shared publicly on September 22."
However, that still places the proxy filing — and Yahoo's claim that it had no knowledge of a serious breach — after the start of the company's investigation in August.
Yahoo declined to elaborate on the Sept. 9 filing. The SEC declined to comment.
The tech giant is already facing calls for closer scrutiny into the way it reported the breach. Sen. Mark R. Warner (D-Va.) on Monday called for the SEC to investigate whether Yahoo failed to fulfill its legal obligations to shareholders and consumers, in light of the massive breach that exposed the information of 500 million user accounts.
"I've been on public corporate boards and don’t see how anyone wouldn’t view this as a material fact," Warner, a former technology executive, said Tuesday in an interview with The Post. "It's important that we look into when Yahoo executives had this information, and why did they file on Sept. 9 saying they had no evidence of this."
The question of whether an investigation with serious concerns of a breach can be enough cause for disclosure is difficult to answer, experts said.
The standard for reporting a breach, Phan said, is whether there could be material harm to a company. For example, if proprietary information central to a company's business model were stolen, then that could be considered material harm. Another example is anything that can significantly damage the reputation of the company. But harm can be difficult to evaluate, particularly if a breach is caught and contained quickly.
"There's a risk to reporting," she said, citing bad press around a breach, even if the intrusion itself doesn't cause the company much harm. "While companies are being too conservative about reporting, they don't always need to report everything."
Companies can also sometimes be asked by law enforcement not to disclose breaches, experts said, to avoid disrupting ongoing investigations.
"Yahoo has been stingy with the facts, but this may be at the request of U.S. law enforcement or the intelligence community,” said Leo Taddeo, a former special agent in charge of the FBI's New York cybercrime office and now chief security officer at security firm Cryptzone. “If, in fact, there are signs of a state actor, the authorities would definitely prefer to keep the details out of the public domain. Otherwise, the hackers may get tipped off to the U.S. government's sources and capabilities."
Yahoo's case especially stands out because of its circumstances. Yahoo is in the midst of a sale, after all, and its statement that it had no knowledge of the breach was made in a proxy filing — something experts say is unusual. If Yahoo wanted to disclose a breach, it would have done so in a separate filing as it did Sept. 22.
Whether its language in the proxy filing will lead to an SEC investigation remains unclear.
Since offering its guidance on disclosing breaches in 2011, the SEC has not penalized any company for failing to do so. And several companies do not report breaches, Phan said. Sony, for example, which suffered a massive breach of its records in 2014, never filed a notice with the SEC over that incident.
That, according to Warner, is also a problem. Warner asked SEC chairman Mary Jo White to "evaluate the adequacy of current SEC thresholds for disclosing events of this nature" in his letter. He is also calling for the government to set some sort of minimum cybersecurity standard for companies, and for a national data breach disclosure law.
Yahoo, he said, is just the latest example to illustrate that the current regulatory framework needs work. "This shows that this is an area that’s changing faster than rules and technology can keep up with," he said. "If this kind of massive breach doesn’t spur us on, I don’t know what will."