Senior Yahoo staff are feeling the repercussions of the company's problems as it discloses that 32 million users may have been affected by the aftermath of its 2014 mega breach.
Marissa Mayer, Yahoo's CEO, will personally lose her US$ 2 million (£1.6 million) bonus this year, along with her US$ 14 million (£11.4 million) equity grant which will go to Yahoo's 8,500 employees instead.
Mayer published a short blogpost on 1st of March saying that she only learnt of the breach in September 2016 but because the incident happened on her watch, “I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees.”
Yahoo's general counsel, Ronald Bell also resigned over the failure to report the breach. This news was revealed in the filing of the company's 10-K report in which Yahoo admits responsibility over failing to tell shareholders, users or the public about the breach.
While senior executives and legal staff were aware of the incident, only 26 specifically targeted users were affected. It was later learnt that the scale of the breach was far bigger, potentially affecting 500 million users.
The report notes: “It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team.”
While Yahoo's information security team knew that the adversary had stolen copies of user database backup files which contained personal data, “it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.” It was, according to an independent review, “ failures in communication, management, inquiry and internal reporting” which led to the 2014 breach not being disclosed until around two years later.
Included in the 10-K is the revelation that that 32 million users were affected over 2015 and 2016 by the now-invalidated forged cookies. The report that could allow access to accounts without passwords.
Yahoo believes the cookies to have been created from proprietary code stolen from Yahoo and are connected to the state-sponsored actors responsible for the long-quiet 2014 breach.
The public disclosure of the breach was closely followed by another; that Yahoo had been hit again which attackers making off with the information of 1 billion accounts. The breach was labelled by some as the biggest breach ever recorded.
Last week it was announced that Yahoo's final sale price in its acquisition by global media giant, Verizon would be discounted by US$ 350 million (£285 million). The deal was worked out in light of Yahoo's disclosures of the two breaches and the attendant legal problems that Verizon would have to adopt along with the company. Mayer will resign as Yahoo CEO once the sale is formally approved.
Getting the board to pay attention to security has long been a concern of IT security professionals. Paul Edon, director at Tripwire, told SC Media UK that this sets an interesting precedent: “Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing. This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have.”Paul Calatayud, CTO at FireMon told SC: “When Yahoo's CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEOs to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organisation.”