Investigation surrounds why the company took two years to disclose the data breach.
The seemingly never ending data breach saga surround Yahoo has stepped up a notch after the U.S. Securities and Exchange Commission launched a new investigation into a previously disclosed data breach.
The purpose of the investigation is to discover whether Yahoo should have reported its two massive data breaches sooner to investors, according to the WSJ.
The SEC is said to have already opened the investigation and issued a request for document in December.
Yahoo is required to have reported the breaches in line with civil securities laws, with the SEC requiring that companies disclose any cybersecurity risks as soon as they are deemed to have an effect on investors.
The main bulk of the investigation is expected to closely examine the 2014 data breach which leaked the data of 500 million users. This breach was revealed in September 2016.
Yahoo continues to face intense pressure regarding its future and the nature of the cyber attacks that hit it in both 2014 and 2013, with one billion user accounts being breached in 2013.
The company has failed to explain why it took two years to reveal the 2014 attack.
This isn’t the first time the SEC has come in to investigate the reporting of a data breach. Target was previously under the microscope regarding a breach in 2013 that saw 70 million credit and debit card accounts hacked. The company reported the breach a few weeks after the breach began and the SEC didn’t recommend any enforcement action.
Although the SEC is investigating Yahoo, it has never taken action against a company for failing to disclose a cyber attack.
The SEC isn’t the only agency looking into the breach, with the Federal Trade Commission, the U.S. Attorney’s Office in Manhattan and a number of State Attorney Generals also said to be investigating.
Yahoo is expected to report its fourth-quarter earnings on Monday, after the market closes in the US.