Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 72
Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Yawho? (Score:5, Funny)
Sources say nothing of value was lost, as the breach only impacts people who still use Yahoo.
Re:Yawho? (Score:5, Funny)
the breach only impacts people who still use Yahoo.
Right, the senators were impacted and that's why they care.
Re:Yawho? (Score:5, Informative)
We're talking about senators here... you can't spew that much bullshit without having impacted bowels.
Oh, by the way: your attempt at pedantry fails as a secondary definition for impacted literally means "strongly affected by something." Or, to see for yourself read #9 on the linked page [dictionary.com]. Also; by literally I mean that to be without exaggeration or inaccuracies.
Re: (Score:2)
Really? They managed to migrate from AOL?
They could start forcing password resets (Score:2)
They could start forcing password resets like ebay did.
That would be a start.
Re: (Score:2)
No I haven't changed my yahoo password since sometime around Y2K it says "Make sure your account is secure!
To secure your account, change your password and update your mobile number.
And it gives me two options
"Yes, secure my account"
and
"I'll secure my account later"
It may just not care because I have 2FA enabled but still.
No authority (Score:5, Insightful)
The Senate has no authority over Yahoo. Why does the Senate care how long it takes to report a data breach?
If they want, they can write a law and grant that authority to an agency.
Re: (Score:1)
Re: (Score:3, Insightful)
Yes. That is the next step.
Re: (Score:3)
Re: (Score:1)
I'd prefer they ask for information from someone who didn't fail the hardest of anyone who has ever failed. Basically anyone else in the industry at all would be a better jumping off point. Then they could go from there.
Re: (Score:3)
As far as I understand in most US states there are actually already data breach laws which require companies to notify users if their data is known or believed to be breached, with delayed notification allowed only if law enforcement requires it to facilitate the investigation.
Re: (Score:2)
Some industries have more stringent reporting requirements than others.
For example, the U.S. Department of Health and Human Services Office for Civil Rights maintains a site where they post any personal healthcare information breaches affecting 500 or more individuals. [hhs.gov]
Re: (Score:3)
Re: (Score:2)
People are scared, if they don't give them lip service, then they may not get elected .
Re: (Score:2)
Just because the Senate hasn't enacted a law yet doesn't mean that individual Senators can't express their opinion that the current state of things is unacceptable. This is the first step towards them making a more serious push into establishing a national law, rather than leaving it up to the states to hodge-podge the laws together, as has been the case up to this point.
Plus, some of those Senators are from states that have security breach notification laws on the books, so they may have a more personal in
Re: (Score:3)
As much as I like some of the senators imposing these questions, let's be honest: no new legislation will be proposed, let alone voted down. Like all of the other congressional inquisitions and hearings that have occurred recently, the senators will jump up and down and screech like a gang of wild monkeys but in the end absolutely nothing will change.
Re: (Score:3)
Maybe you're unfamiliar, so I'll help you out here.
Senators represent people from their state, so when something happens to the people (like for instance a company gets breached but doesn't bother to let anybody know about it for 2 years) in said states they have a duty to pitch a fit about it. That's the entire point of their jobs, in fact.
They said it's 'unacceptable', and it fucking damn right is unacceptable for a technology company to wait 2 fucking years to report a data breach.
Re: (Score:2)
If they want, they can write a law and grant that authority to an agency.
In the case of the TJX brief, we found out in SEC disclosures in their 8-K filings. We have generally understood that a significant breach is a material corporate disclosure. So yeah, they wrote a law.
Re: (Score:2)
How many of these Congrescritters are in bed with Google/Alphabet? Follow the money.
Dont fuck with the feds. (Score:3)
They will hold a senate investigation into the matter, which anyone in the right mind should be terrified of. They will start issuing subpoenas to people in charge at Yahoo, and start asking them questions on national t.v., (which will likely be embarrassing and detrimental to Yahoo's stock price and reputation). Provided that nobody tries to cover anything up (Federal prison time for lying under oath to a senate investigation), the company mig
More to the point (Score:3)
But, in the good old U S of Kleptocracy, crooked CEOs don't get prosecuted, let alone convicted.
Re: (Score:3)
fraud was it? You are required to disclose know problems with most assets prior to sale, at least to the degree you are not misrepresenting the nature of thing.
If I sold you a car and did not mention that when I had the head off the other weekend I noticed the block was cracked that would be fraud. On the other hand if I fail to mention its due of an oil change nobody is going to come after me for violating a lemon law let alone fraud.
This is where the wicket gets sticky with Yahoo! Is a data breach a se
Re: (Score:2)
Consider that when you buy something like Yahoo, it's not their technology you're purchasing, it's the user base you're after, I'd argue the complete opposite.
Re: (Score:2)
That is my point though, the users don't really leave. You have to offer them some token credit monitoring or something for a few months and 80% probably would not even change their password if you did not make them. They certainly are not moving their e-mail and web searches elsewhere.
So the value of Yahoo! isn't actually impaired by the breach at all. Basically the attitude should be "breach smeach"
Re: (Score:2)
"If I sold you a car and did not mention that when I had the head off the other weekend I noticed the block was cracked that would be fraud. On the other hand if I fail to mention its due of an oil change nobody is going to come after me for violating a lemon law let alone fraud."
Look into the exceptions available to real estate agents regarding reporting on the fitness of a property for sale. Somehow they can get out of telling you [chicagotribune.com] that there are problems with the property.
By your definition this is fraud.
Re: (Score:2)
Can't wait for her to break out into soft-core porn to make ends meet.
Unethical (Score:1)
Although my Y! account hasn't been in use for years and that would pose zero threat to me... I still asked the same question when I heard about the breach.... Why would such a large corporation do such a stupid thing? Now that they've been able to keep it under secrecy for two years, why announce it now?
Did Marissa think enforcing the password change now will some how fix something? The hackers had two years to go through every single piece of data... It doesn't matter if t
Re: (Score:2)
Two points here:
- I live under a rock but I still knew about the breach months ago, there was an article here about the hack and I passed it on to a Yahoo Group I am a member of.
- Yahoo themselves are claiming that it was something along the lines of a state-sponsored group which hacked them. Well, they would say that - there is very little shame associated with being hacked by a top group of hackers with huge funds. Personally I doubt it but you never know, and Yahoo probably don't know either.
Re: (Score:2)
I asked the same question.....
Although my Y! account hasn't been in use for years and that would pose zero threat to me... I still asked the same question when I heard about the breach.... Why would such a large corporation do such a stupid thing? Now that they've been able to keep it under secrecy for two years, why announce it now?
Did Marissa think enforcing the password change now will some how fix something? The hackers had two years to go through every single piece of data... It doesn't matter if they enforce a password change now... the only difference this makes is that the entire upper management and the board look so stupid that after Y! goes bankrupt, none of them will ever get a management job anywhere else!!!
If the company goes bankrupt, it's one less pain in the ass for her to deal with, cuz, ya know, no one else wants to buy it. She's already got the money she needs from it saved up, laundered, off-shored, dried, pressed, laundered again, swabbed, and put into a bank account in a tree trunk in the Amazon. *zip*
2 years (Score:5, Funny)
It took them 2 years to report the breach because they were using the Yahoo search engine to try and find the appropriate people to report the breach to.
simple solutions (Score:1)
Also, they will be able to use the diversity of Senator Warren's rich and VERY REAL ancestry to make it happen. Harvard understood this and so should everyone else.
People will be jumping over each other to use gov Yahoo! just like healthcare.gov.
Why is this a big deal? (Score:2)
stupid. (Score:3)
It's stupid to expect companies to do what is right and ethical. This is why we have so many laws that mandate businesses do certain things. If they aren't legally required to do it and it won't make them money, they aren't going to do it until it becomes a problem for them.
The latest? Really? (Score:2)
This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,
No, it was actually one of the first really big breaches considering it happened two years ago rather than last week.
Re: (Score:2)
This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest,
No, it was actually one of the first really big breaches considering it happened two years ago rather than last week.
Wait, wait, wait a second here. Was that the one after the first one, which was the one before the second but between the complete one 4 years ago, and before the one two years ago, but after the harvesting started on the one from last week? Or was it the last week before the one two years ago which was after 4 years ago? Gee, all of this information has got me confused. I guess I'll just go watch some more videos on th... ooooooooh shiny.
S, S, S What begins with S? (Score:1)
Six senior senators who should swallow a sack of shit.
Grandstanding (Score:2)
I'm having trouble finding specific timelines for this, but from the sounds of it the breach began two years ago and they only recently discovered and disclosed it.
So these esteemed *barf* senators are upset that it took so long to notice the breach? Were they that upset when it was discovered the the government run OPM database had been compromised for YEARS?
Political grandstanding by a bunch of useless dipshits.
Re: (Score:2)
I'm having trouble finding specific timelines for this, but from the sounds of it the breach began two years ago and they only recently discovered and disclosed it.
So these esteemed *barf* senators are upset that it took so long to notice the breach? Were they that upset when it was discovered the the government run OPM database had been compromised for YEARS?
Political grandstanding by a bunch of useless dipshits.
One of them probably has a yahoo address with pictures of the mistress. Did I say THE mistress? I'm so sorry.. big slip there. Heh. The first set of mistresses.
Web 2.0 (Score:2)
Re: (Score:2)
It's only a matter of time before we rip out the internet as we know it and migrate to version 2.0.
Putin started already by creating the bugless Microsoft replacement. *cough* Looks like it's the Next Race(tm). Wait, Race sounds bad.. The Next Competitive Head-to-Head Activity Between Two Parties to See Which One's Parts Can Finish the Job First by Changing the Context Completely(sm).
Yes, that. I think.
Apparently it's different when the NSA does it (Score:2, Insightful)
That means millions of Americans' data may have been compromised for two years.
Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.
This isn't to absolve Yahoo! of its wrongdoing. It certainly
Re: (Score:2)
That means millions of Americans' data may have been compromised for two years.
Perhaps you and I have differing ideas of what constitutes "compromised." It seems you don't see it as compromising when the government does it - even without permission or oversight and with constant lies about it. Why is that? It's also the case that our data have been compromised for nearly two decades. Perhaps you should call for the end to the unethical, immoral, and unconstitutional spying instead - which you can actually do something about.
This isn't to absolve Yahoo! of its wrongdoing. It certainly should have been more diligent in disclosure. But to me, the differences are pretty clear. You could never have done business with Yahoo! and while it sucks a lot for the people harmed, you can not do business with Yahoo! in the future as well. Once the data's out there, the harm's pretty much been done. There's not a lot that anybody can do regardless of being notified or not. They can change their passwords and hope the effort is too much to make them interesting.
The NSA, on the other hand... you can't avoid "doing business" with them in the past or in the future, the data's been sucked up for decades (and this is going to start causing some serious shadow problems within the next 15-30 years as the previous generation(s) of lawmakers, law enforcers, and law upholders dies off - information never stopped being power and that means that the NSA has significant leverage on anyone and everyone), and no amount of anything you can personally do except go find a remote forest and forage out of it is going to protect you.
This idea that the government is going to save us from anything by forcing a company to be a bit swifter on the uptake is repugnant.
Clearly they've been doing research on the first, second, and third potential compromised states of their data, so really, there's nothing to report until the research is completed.........
I don't think I'm allowed to put enough periods at the end of that sentence.
Finally! Fiscal Responsibility! (Score:1)
Re: (Score:2)
Yahoo can and should take fiscal responsibility for any users who suffered financial hardship as a result of not being informed their details have been out in the wild for over two years, I guess in addition to any international governments who have had to pay insurance on stolen funds etc.
Heh. Prove it.
I had to put protection on all three credit "bureaus" because my information was compromised but the idiot that did it didn't know my current address. I'd like to see the argument from Y! on me storing the first 3 of my SSN in one email 10+ years ago, the last part 12+ years ago, and my then different addresses of living over the span of 15 years being a violation of their agreement for me to "not send personal information through their server(s) etc etc".
Hmmm...all Democrat Senators... (Score:2)
Yahoo gives lots of money to the Democrat party. My prediction? This will be a complete farce with nothing of consequence coming from it. But Franken, et al will get tons of mileage from it by appearing to go after "big business". Nothing to see here. Thanks for playing.