Yahoo revealed two large breaches last year
Yahoo revealed two large breaches last year

Yahoo is being investigated by US financial regulators for the company's data breach.

The US Securities and Exchange Commission (SEC) are currently looking into whether the tech giant should have told investors about two massive data breaches.

The Wall Street Journal reported on Monday the 23rd that the SEC, which oversees securities law, were investigating Yahoo for the late reporting of data breaches which were not made public until some time after they actually happened. The SEC asked for documents from Yahoo in late 2016 to learn whether the company could have told investors earlier, according to the paper's sources.

Towards the end of 2016, Yahoo revealed two giant breaches. The first, revealed in September 2016, resulted in the theft of the data of 500 million users. Later in the year, the company revealed another incident which resulted in the theft of the personal information of one billion users.

Adding to the revelations was that though some employees knew of the first breach as far back as 2014, they did not tell investors or customers.

Brian Chappell, director of technical services EMEAI & APAC at BeyondTrust told SC Media UK that “breaches involving user credentials and/or PII could have material impact for those users exposed. Any company not notifying its users of any breach, regardless of the actual mechanics of said breach, isn't following best business practice. It's only appropriate that such companies would be subject to investigation by one or more agencies.”

Rumours quickly sprang up that the admissions would affect the company's upcoming acquisition by global media company, Verizon. Yahoo eventually delayed the acquisition in January 2017.

Yahoo responded to SC's request for comment by citing the company's 10-Q, a form filed to the SEC by all publicly traded corporations. Yahoo's 10-Q, filed on 9 November 2016, states, “the company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the security incident and related matters, including the US Federal Trade Commission, the US Securities and Exchange Commission, a number of State Attorney Generals, and the US Attorney's office for the Southern District of New York."