The US Securities and Exchange Commission is looking into whether Yahoo could have been quicker to tell investors about two record-breaking data breaches.
Internet giant Yahoo has confirmed it is to be investigated by the US Securities and Exchange Commission (SEC) in connection with two major data breaches discovered at the company last year.
In a November 2016 quarterly filing, the company said it was “cooperating with federal, state and foreign” agencies, including the SEC, as first revealed by the Wall Street Journal.
The investigation is reportedly centered around a “security incident and related matters”, which is believed to be in reference to the record-breaking data breaches revealed in September and December.
The latter, which the company announced on Tumblr, relates back to an incident in August 2013, which is said to have affected one billion user accounts.
It is thought to be the biggest data breach in history. At the time, Yahoo said that compromised information included names, email address, telephone numbers, dates of birth and hashed passwords.
Bob Lord, chief information security officer at Yahoo, commented in December: “We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.
“We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
According to multiple reports, the SEC is keen to establish whether these data breaches should have been reported to investors sooner.
Security industry rules dictate that companies must disclose breaches to investors, although guidance is offered on when such incidents should be reported.
The investigation surrounding Yahoo has already had a significant corporate impact, with the company confirming that the proposed $4.8 billion (£4 billion) sale of its core internet assets to telecoms giant Verizon would take place in the second quarter of the year rather than the first.