igor - Fotolia

Yahoo breaches underline executive role in cyber security

Yahoo's data breaches cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350m off its sale price, highlighting the importance of executive involvement

The Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.

The moves were revealed in the company’s latest annual report to the US Securities and Exchange Commission (SEC).

The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.

The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”

The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.

“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.

Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.

However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.

Read more about Yahoo

  • Yahoo announces another strategic plan to reduce costs by $400m and raise up to $3bn in the wake of a $4.43bn loss for the fourth quarter of 2015.
  • Yahoo is expected to announce that it will not place its 15% Alibaba holding in a separate company, but focus instead on its core business.
  • Yahoo announces it will close its research and development centre in China in plans to consolidate research and cut costs.

According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.

After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350m less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.

The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.

According to independent security consultant Graham Cluley, companies either get security or they do not, and Yahoo is an example of the latter.

“It’s no good just having an IT team that understands security,” he wrote in a blog post. “You also need to have an executive management that understands the importance of security, otherwise you have little chance of protecting your business against modern threats.”

The $350m price cut will resonate with key stakeholders in many organisations, according to Rob Norris, ‎head of enterprise and cyber security for Europe, Middle East, India and Africa at Fujitsu.

The impact of the breaches, he said, shows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.

While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, Norris said the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.

Read more on Privacy and data protection

Data Center
Data Management