Yahoo execs knew of hack
Yahoo’s senior executives and legal team were aware of a security breach in 2014 but failed to investigate further, resulting in the company’s disclosure two years later that data from at least 500 million accounts had been stolen, according to the annual report filed with the Securities and Exchange Commission on Wednesday.
An independent board committee that examined the security breach placed the blame on the company’s legal team, saying that it “had sufficient information to warrant substantial further inquiry in 2014, but they did not pursue it.”
At the time, Yahoo notified 26 users about the breach and told law enforcement, but did not take further investigative action. In late December 2014,
Yahoo’s security team knew that the hacker had copies of backup files that had users’ personal information. The committee, made up of two board members who are not Yahoo executives, assisted by outside counsel and a forensics expert, said Yahoo’s legal team did not “adequately” advise the company or its board of the legal and business risks surrounding the breach.
“The independent committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident,” the report said.
Yahoo’s general counsel, Ronald Bell, resigned on Wednesday after working at Yahoo for 17 years. CEO Marissa Mayer said she will not receive her 2016 cash bonus. She also offered to forgo her annual stock package, and the board agreed.
Mayer said in a statement she didn’t become aware until September that a “large number of our user database files had been stolen” in 2014.
“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted,” she said.
The 2014 data breach was the second-largest in the nation’s history. So far, 43 class-action lawsuits have been filed related to security breaches at the company between 2013 and 2016. Besides the 2014 incident, Yahoo disclosed last year that more than 1 billion accounts were affected by a 2013 data breach. In 2015 and 2016, about 32 million Yahoo accounts were affected by hacking through forged cookies. Cookies are tools that allow the website and a computer to save information, such as a user name, password or address, so it doesn’t need to be re-entered.
The 2014 breach affecting at least 500 million accounts was not disclosed to Verizon at the time it negotiated a deal to buy Yahoo’s Internet properties. According to the annual report, the independent committee “did not conclude that there was an intentional suppression of relevant information.”
“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team,” the report said.
Verizon and Yahoo announced last week that the price of the deal would be cut by $350 million to $4.48 billion. That deal is expected to close in the second quarter. Verizon on Wednesday declined to comment on Yahoo’s report.