igor - Fotolia

Yahoo breaches underline executive role in cyber security

Yahoo's data breaches cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350m off its sale price, highlighting the importance of executive involvement

The Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.

The moves were revealed in the company’s latest annual report to the US Securities and Exchange Commission (SEC).

The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.

The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”

The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.

“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.

Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.

However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.

Read more about Yahoo

According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.

After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350m less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.

The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.

According to independent security consultant Graham Cluley, companies either get security or they do not, and Yahoo is an example of the latter.

“It’s no good just having an IT team that understands security,” he wrote in a blog post. “You also need to have an executive management that understands the importance of security, otherwise you have little chance of protecting your business against modern threats.”

The $350m price cut will resonate with key stakeholders in many organisations, according to Rob Norris, ‎head of enterprise and cyber security for Europe, Middle East, India and Africa at Fujitsu.

The impact of the breaches, he said, shows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.

While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, Norris said the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close