Some powerful Senate Republicans are not happy with Yahoo!'s answer—or they suggest lack of them—about data breaches.
Sens. John Thune (R-S.D.), chairman of the Senate Commerce Committee, and Jerry Moran (R-Kan.), chairman of the Consumer Protection, Product Safety, Insurance and Data Security Subcommittee, have written Yahoo! CEO Marissa Mayer saying they want to know what Yahoo! has done to identify and mitigate any consumer harm.
In December, Yahoo! announced it had "data security issues" involving over one billion accounts related to a 2013 hack, which they pointed out in the letter was distinct from a 2014 hack that itself has affected a half billion users—thought to be the largest hack but apparently not.
“Despite several inquiries by Committee staff seeking information about the security of Yahoo! user accounts, company officials have thus far been unable to provide answers to many basic questions about the reported breaches,” they wrote.
They are also not happy with the cancellation, which they called last-minute, of a planned meeting between Yahoo! and congressional staffers that had been planned for Jan. 31.
They said they were concerned about "the company’s willingness to deal with Congress with complete candor about these recent events" and were looking to Mayer to assuage those concerns.
They gave Mayer until Feb. 23 to answer the following:
1. "With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please describe Yahoo!’s efforts to identify and provide notice to these users."
2. "With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised? Does the data include sensitive personal information?"
3. "What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents?"
4. "What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents
5. "In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo!’s initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, notifications to law enforcement agencies, as well as any notification to affected consumers."