Yahoo Facing Lawsuits, Senate Inquiry, Possibly Merger Issues After Massive Data Breach

Image courtesy of Yahoo

Last week was pretty rough for Yahoo, which confirmed on Thursday that it suffered a major data breach affecting more than half a billion (yes, with a B) users. Now 500 million people with Yahoo accounts are trying to figure out what to do next… but they’re not the only ones.

Courtrooms

As you might imagine, Yahoo users are incredibly unhappy with the fact that their data was stolen en masse, and are even less happy with the way the company handled the disclosure. The first lawsuits against Yahoo were entered the day after the news broke, and now a pile of similar, related claims is starting to pile up.

As USA Today and Bloomberg report, there are at least five cases filed against Yahoo so far.

Two, one by a New York resident and one for an Arkansas woman, have been filed in the U.S. District Court in San Francisco. Both seek class-action status. Another, also by a New York resident, was filed in federal court in San Jose. And similar complaints have also been filed in federal courts in Illinois and San Diego.

In one case, the plaintiff’s lawyers claim Yahoo “intentionally, willfully, recklessly, or negligently” failed to protect its systems and also failed to tell users that their data “was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies, and procedures,” in violation of the FTC Act and California law.

Another complaint says, “[Yahoo’s] misconduct was so bad that it evidently allowed unauthorized and malicious access to plaintiff’s and the class’s personal information on defendant’s computer systems to continue unimpeded for nearly two years.”

Legal action takes time, so it will be a while before we know how or if these cases will be consolidated, and if class-action status ends up granted.

Capitol Hill

A half-dozen Senators really want to know a lot more about how this breach happened and what was stolen — and also, just what Yahoo knew and when they knew it.

To that end, Sen. Patrick Leahy (VT), joined by Senators Richard Blumenthal (CT), Al Franken (MN), Ed Markey (MA), Elizabeth Warren (MA), and Ron Wyden (OR) today sent a letter full of pointed, specific questions to Yahoo CEO Marissa Meyer.

The letter (PDF) asks, among other questions, what Yahoo sites and services were affected, how many total users were hit, how Yahoo didn’t notice the intrusion to begin with, and what it’s doing to prevent another one.

“We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week,” the Senators write. “That means millions of Americans’ data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”

Separately, Sen. Mark Warner (VA) is asking the Securities and Exchange Commission to investigate whether Yahoo met mandated disclosure requirements about the breach.

“Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about,” Warner wrote in a letter to SEC chair Mary Jo White. He also asked the SEC to investigate whether Yahoo made “complete and accurate” representations of its information security practices.

The SEC is involved because Yahoo is in the midst of a $4.8 billion acquisition by Verizon. As part of that, Yahoo told the SEC on Sept. 9 that it did not have knowledge of any unauthorized access of its users personal data… 13 days before it announced the massive breach.

C-Suite

Lawsuits and letters from Congress are concrete, but the rumors in the business world are a little more ethereal and vague. That said, issues surrounding the breach could indeed complicate or even scuttle Verizon’s plans to purchase Yahoo.

As Fortune explained last week, the language of the deal between Verizon and Yahoo would not allow Verizon to scrap its plans over external factors, like changes in global political or economic situations (Brexit, anyone?). Verizon can, however, either back out — or negotiate a lower price — if a court finds that the breach is an adverse event that lowers Yahoo’s value.

But the more pressing issue is the same one Sen. Warner’s asking the SEC to look into: when did Yahoo find out about the breach? Because the merger agreement that Yahoo signed on July 23 specifically agrees that to their best knowledge, there have not been any incidents or claims about data loss or security breaches. And if Yahoo did know, and signed that agreement anyway, that would spell trouble.

Verizon, meanwhile, said on Thursday that it only found out about the massive breach two days before Yahoo’s 500 million users, and the rest of the world, did.

There are reports beginning to surface that Verizon leadership are unsure how to continue. Many analysts say that the deal is likely to progress, but that Verizon may well lower the price it’s willing to pay for now-damaged goods.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.