Yahoo was hacked in 2014 and huge amounts of personal data was stolen. Yahoo, which was a little concerned about more publicity failed to make the news public.
Now the FBI is looking into whether Yahoo’s two massive data breaches should have been reported sooner to investors. If Yahoo faces any fall-out from the case then it could be a major test in defining when a company is required to disclose a hack.
For those who came in late, the first data breach in 2013 that involved more than one billion users’ accounts. The second was in 2014, an intrusion which involved about 500 million accounts. SEC has requested documents from Yahoo.
The agency has been considering a model case for cybersecurity rules it issued in 2011. Yahoo has said that it was cooperating with the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies including “several State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York”.
When Yahoo reported the 2014 breach, it said that evidence linked it to a state-sponsored attacker. It has not announced a suspected responsibility for the larger 2013 intrusion, but the company has said it does not believe the two breaches are linked.