The current and former chief executives of credit bureau Equifax, which disclosed in September that a data breach affected as many as 145.5 million US consumers, said they did not know who was responsible for the attack. The consulting firm, Mandiant, said the tactics aren't familiar.
Politicians are threatening greater intervention in tech firms' business.
He said a federal law should replace that patchwork of laws. Brian Schatz of Hawaii says, calling it "unfathomable".
Sen. John Thune, R-S.D., the committee chairman, said 48 states have separate laws governing how and when companies must notify consumers of a breach. Mayer says Yahoo, which originally said only 1 billion accounts were affected, didn't find out about the hack until it got data from the government in 2016 and still hasn't figured out how it happened, though she says Russian intelligence officers have launched attacks on Yahoo systems.
The hearing will feature testimony from a current and a former official who worked on the response to Yahoo!'s 2013 data breach, which the company announced only last month affected all 3 billion user accounts, as well as the current and former CEO of Equifax, which suffered a 2017 breach reported to affect approximately 145 million individuals, including sensitive personal and financial information.
But some of the senators pushed the companies to provide more protection.
They criticised the payouts to top executives after the breaches and asked about more secure ways to identify people than relying on their Social Security number.
"All the data. everything that defines my life, I have no control over it", said Senator Cory Gardner, a Republican from Colorado.
"How do you really think you could have protected yourself?"
"We have to figure this out", said Senator Catherine Cortez-Masto, a Democrat from Nevada.
Mayer volunteered to testify on data breaches, but only after being subpoenaed.
Paulino do Rego Barros, Jr.
"Mandiant has not been able to attribute the identified attacker activity within the Equifax environment to any targeted threat actor group that Mandiant now tracks", the firm said in the summary of their report.
Ms Mayer said increasing the potential consequences of hacks for the perpetrators would help deter attacks, on both the state-sponsored and commercial side.