Yahoo Admits Staff Was Aware of the “State-Sponsored” Hack in 2014
Millions of users' data was stolen in one of the biggest breaches of history when Yahoo was hacked into back in 2014. While it publicly acknowledged the compromise this September, the company had apparently detected the breach early on.
Yahoo admits discovering hack in 2014
In September, Yahoo confirmed that at least 500 million of its user account had been compromised during an attack in 2014. In a filing with the Securities and Exchange Commission, the company has now admitted that some of its employees were aware of the theft as early as 2014. That is years before it publicly acknowledged the hack which the company has attributed to state-sponsored actors.
Yahoo said in the filing;
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
When the company learned of the breach is an important question for its planned sale to Verizon. Verizon reportedly asked for a $1 billion discount after the breach report, which Yahoo delayed until after the September sale. But, it's not just Verizon trying to get some discounts. The tech giant said that 23 class action lawsuits have been filed by the consumers in federal, state and foreign courts. The filing mentions $1 million in losses for Yahoo so far.
Senator Mark Warner has also asked the SEC to investigate what Yahoo knew about the breach and when it knew it. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public," Warner said in a statement.
Yahoo said in the filing that it has formed an independent committee to review “the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”