. . lettd Status mnatt COMMITTEE ON COMMERCE, SCIENCE, AND WASHINGTON. DC 20510?6125 httpi-Z?commer?coacnatcgov February 10, 2017' Ms. Marissa Mayer Chief Executive Of?cer Yahoo! Inc. 7'01 First Avenue Sunnyvale, CA 94089 Dear Ms. Mayer: As the Chairmen of the Senate Committee on Commerce, Science, and Transportation and its Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Secu?ty, we are writing regarding the multiple data security incidents Yahoo! has disclosed over the past few months. Despite several inquiries by Committee staff seeking information about the security of Yahoo! user accounts, company of?cials have thus far been unable to provide answers to many basic questions about the reported breaches. Moreover, Yahooi?s recent, last-minute cancellation of a planned congressional staff brie?ng, originally scheduled for January 31, 2017, has prompted concerns about the company?s willingness to deal with Congress with complete candor about these recent events. We hope that you will dispel these concerns. As you know, on December 14, 2016, Yahoo! announced that the company had identi?ed ?data security issues? affecting over one billion user accounts' This announcement relates to a 2013 hack involving sensitive user information, including security questions and answers. It is distinct from the previously disclosed 2014 hack, which affected 500 million user accounts.2 At the time, the 2014 hack was widely considered the largest data breach in history.3 This unenviable title now apparently applies to the 2013 data breach. On September 26, 2016, the Committee scheduled a bipartisan staff brie?ng to discuss the 2014 data breach. Chris Madsen, Yahool?s Assistant General Counsel and Head of Global Law Enforcement, Security and Safety, led the brie?ng. At the time, Mr. Madsen was unable to provide any additional details concerning the nature of incident, those affected, and steps the company had taken to identify and mitigate consumer harm, beyond what was already known publicly. Yahoo! has not attempted to supplement its answers to the Committee as new information has become available, despite committing to do so. Press Release, YahooL Important Security Information for Yahoo Users (Dec. 14, 2016), ovariabie at l.cfm? Releasel 004285&soc_s rc=mai l& soc_trk=ma. 2 Press Release, Yahoo, An Important Message to Yahoo Users on Security (Sept. 22, 2016), available at ReleaselD=9905 70. 3 See, 9.3., Hayley Tsukayama, Yahoo hi: in world?s biggest data breach, WASH. POST, Sept. 23, 2016, at Al. Ms. Marissa Mayer February 10, 201'}r Page 2 On December 14, 2016, Yahoo! contacted the Committee to communicate its announcement regarding the discovery of the 2013 breach and agreed to provide a follow-up staff-level brie?ng. Yet, on Saturday, January 28, 2017, Yahoo! abruptly cancelled the brie?ng. Protecting consumers has been and will remain a key priority of this Committee. We have attempted to learn more about these incidents for some time. Our goal is to understand what subsequent steps Yahoo! has taken to investigate what occurred, restore and maintain the integrity of its systems, and identify and mitigate potential consumer harm. Accordingly, we request answers to the following questions: 1. With respect to both the 2013 and 2014 incidents, how many users do these incidents affect? Please deseribe Yahoo!?s efforts to identify and provide notice to these users. 2. With respect to the aforementioned incidents, what type of data does Yahoo! believe to have been compromised? Does the data include sensitive personal information? 3. What steps has Yahoo! taken to identify and mitigate potential consumer harm associated with these incidents? 4. What steps has Yahoo! taken to restore the integrity and enhance the security of its systems in the wake of these incidents? 5. In addition to answering these questions, please provide a detailed timeline of these incidents, including Yahoo! ?3 initial discovery of a potential compromise of its user information, forensic investigation and subsequent security efforts, noti?cations to law enforcement agencies, as well as any notification to affected consumers. We look forward to receiving your responses as soon as possible, but by no later than 5:00 pm. on February 23, 201?. Please call Peter Feldman of the Committee staff at (202) 224-1251 with any questions regarding this request. Thank you for your prompt attention to this matter. Sincerely, ldfru?mar?? J0 THUNE JERRY MORAN Chairman Chairman Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security cc: The Honorable Bill Nelson, Ranking Member The Honorable Richard Blumenthal, Ranking Member Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security