The Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.
Download this free guide
A Computer Weekly Buyer’s Guide to Client Access
Look at how to orchestrate the variety of devices in use, and how to achieve efficient workforce mobility.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.
The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”
The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.
“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.
Yahoo did not disclose the 2014 breach until September 2016, when it began notifying 500 million users that their email addresses, birth dates, security question answers, and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.
However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.
According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.
After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350m less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.
The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.
According to independent security consultant Graham Cluley, companies either get security or they do not, and Yahoo is an example of the latter.
“It’s no good just having an IT team that understands security,” he wrote in a blog post. “You also need to have an executive management that understands the importance of security, otherwise you have little chance of protecting your business against modern threats.”
The $350m price cut will resonate with key stakeholders in many organisations, according to Rob Norris, head of enterprise and cyber security for Europe, Middle East, India and Africa at Fujitsu.
The impact of the breaches, he said, shows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.
While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, Norris said the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.