Yahoo Reveals New Details of Major 2013-2016 Security Breaches
By Shirley Siluk / Data Storage Today. Updated March 02, 2017.
Following an independent committee investigation into a series of major security breaches affecting more than 1 billion user accounts, Yahoo CEO Marissa Mayer will lose out on a cash bonus and an equity award reportedly worth around $14 million.
The committee's findings, outlined in a company filing yesterday with the Securities and Exchange Commission (SEC), also prompted the resignation of Yahoo general counsel and secretary Ronald Bell.
Yahoo's 10-K annual report revealed additional details about the committee's investigation into the theft of account information in 2013 and 2014 that affected 1 billion and 500 million user accounts, respectively. The company also reported that an unauthorized third party created forged cookies in 2015 and 2016 that could have enabled password-free access to some 32 million user accounts.
Both the 2014 breach and the later cookie-forging incident are believed to be the responsibility of the same, unidentified state-sponsored actor, investigators have concluded.
Years of Breaches, Declining Fortunes
Yesterday's SEC filing was the latest chapter in the years-long saga of Yahoo's declining fortunes. Once valued at more than $44 billion, the company is soon set to be acquired by Verizon for $4.48 billion, which reflects a recent $350 million price cut due to Yahoo's serious security problems over the past few years.
The committee and outside forensics experts brought in to investigate the three large security breaches that occurred between 2013 and 2016 concluded that Yahoo's information security team had "contemporaneous knowledge" about the incidents in 2014, 2015 and 2016, according to the SEC filing. Senior executives and legal staff also knew of the breaches but "failed to act sufficiently" on that knowledge, the committee noted.
In response, Yahoo's board of directors said it would not award Mayer an expected 2016 cash bonus. Mayer also offered to forgo any 2017 equity award funds as the 2014 security incident occurred during her tenure.
"When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies," Mayer wrote yesterday on her Tumblr blog. "However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016."
The board added that no payments would be made to general counsel Bell in connection with his resignation in response to the committee's findings.
43 Class Action Lawsuits
While the investigating committee found Yahoo executives were aware of the company's security failings, the scale of those breaches did not become widely known until after Verizon announced its acquisition plans last summer.
Yahoo is currently facing 43 class action lawsuits brought by U.S. users in light of those breach disclosures. The company also continues to work with U.S. law enforcement authorities investigating those breaches.
Based on the committee's findings, Yahoo's board of directors has ordered a number of changes in how the company responds to and investigates cybersecurity incidents.
Expected to close in the second quarter of this year, the Yahoo sale will see core parts of its business join the remains of another one-time Internet giant -- AOL -- that are now part of Verizon. The remaining pieces of Yahoo's operations will continue under the new brand name Altaba.