Probe Finds Executives Failed to Fully Understand or Investigate Breaches
Yahoo CEO Marissa Mayer will lose her cash bonus after an independent investigation into security breaches at the search giant found that the company’s senior executives and legal team failed to properly comprehend or investigate the severity of the attacks.
See Also: Balancing Fraud Detection & the Consumer Banking Experience
Yahoo’s top lawyer, Ronald Bell, has also resigned without severance pay.
The results of the probe, including new details about the 2014 security breach that the company suffered – which compromised 500 million users’ accounts – are contained in Yahoo’s latest annual filing, released March 1.
An independent committee commissioned by Yahoo’s board has concluded that senior executives “did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team,” including the team’s finding in December 2014 that attackers “had exfiltrated copies of user database backup files containing the personal data of Yahoo users,” it says.
The investigation also found that “it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team,” but “did not conclude that there was an intentional suppression of relevant information.”
That attack compromised account information relating to 500 million users.
No Bonus for CEO
As a result of the investigation, Yahoo’s board of directors says that it will not award Mayer a cash bonus for 2016 that she otherwise would have received. It says it’s also accepted her offer to forego any 2017 equity award, “given that the 2014 security incident occurred during her tenure.”
Mayer appears to dispute some findings related to the independent investigation, in particular relating to the 2014 attack. “When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies,” Mayer says in a Tumblr blog. “However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees.” The board has not yet responded to that request.
Mayer’s lost bonus is worth $2 million, given that her target cash bonus is double her $1 million salary, “subject to the board’s evaluation of your performance and then current market compensatory levels and practices,” according to her original employment letter.
It also promises that she will be awarded an equity package of at least $12 million per year. In 2015, Mayer received $35 million in total pay, which included no performance-related bonus, The Wall Street Journal reported.
Executives Failed to Act
In late 2014, investigators found, “senior executives and relevant legal staff” knew that an attacker had exploited Yahoo’s account management tool. “The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement,” it says, but investigators “found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident.” Executives also failed to notify the company’s audit and finance committee or the full board of directors about “the full severity, risks, and potential impacts” of the attack, investigators say.
Yahoo first detailed the attacks publicly in September 2016, two months after it agreed to be acquired by Verizon for $4.8 billion.
As a result of the breach investigation, Verizon has negotiated a $350 million discount in the purchase price, and will require Yahoo to absorb all costs stemming from shareholder lawsuits and Securities and Exchange investigations.
Separate From 2013 Attack
The aforementioned attack appears to be unrelated to a breach that the company learned about in November 2016 thanks to data shared by a law enforcement agency, and publicly disclosed the next month after the information had been analyzed by a digital forensic expert. Yahoo says it believes the breach occurred in August 2013 and compromised account information – including names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases questions and answers – for 1 billion users.
“We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 security incident,” it says.
Senior executives’ failure to fully investigate the 2014 attack had apparent repercussions. In particular, investigators believe that the 2014 attacker was also responsible for launching cookie-forging attacks seen in 2015 and 2016. Attackers were able to forge cookies – small files placed by Yahoo on users’ PCs to facilitate easier site access as well as to deliver targeted advertising – to access users’ Yahoo accounts without having to provide a password.
“We believe such a state-sponsored actor was responsible for the theft involved in the 2014 security incident and for at least some of the cookie forging activity,” Yahoo says.
Investigators say cookies for 32 million user accounts appear to have been stolen or used by attackers in 2015 and 2016.
Board to Executives: Do Better
Based on the investigation, Yahoo’s board has instructed senior executives to beef up the company’s information security and incident response practices and procedures to help ensure “escalation of cybersecurity incidents to senior executives and the board of directors.” It also wants to ensure that information security incidents get thoroughly investigated and forensic experts brought in whenever appropriate.
Yahoo, which does not have cybersecurity liability insurance, said it last year spent $5 million as part of ongoing digital forensic investigations and remediation costs related to the security breaches, as well as $11 million in related legal fees.
To date, 43 consumer class-action lawsuits have been filed against Yahoo in U.S. federal and state courts, and in foreign courts, the company says. Yahoo is also being investigated by the SEC and has faced breach-related questions from the Senate Committee on Commerce, Science and Transportation.
Yahoo has promised to brief senators on the latest findings into the breaches suffered by the company, and executives’ response.