Jump to content

Yahoo CEO forgoes bonus as 32 million breach victims revealed


steven36

Recommended Posts

A recent regulatory filing from Yahoo has revealed more victims of its 2014 breach. This time, it is not just users but Yahoo's senior executives.

 

original-75792c89c265dd2f8c5917e50f6fb12

 

Senior Yahoo staff are feeling the repercussions of the company's problems as it discloses that 32 million users may have been affected by the aftermath of its 2014 mega breach.

 

Marissa Mayer, Yahoo's CEO, will personally lose her US$ 2 million (£1.6 million) bonus this year, along with her US$ 14 million (£11.4 million) equity grant which will go to Yahoo's 8,500 employees instead.

Mayer published a short blogpost on 1st of March saying that she only learnt of the breach in September 2016 but because the incident happened on her watch,  “I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees.”

 

Yahoo's general counsel, Ronald Bell also resigned over the failure to report the breach.  This news was revealed in the filing of the company's 10-K report in which Yahoo admits responsibility over failing to tell shareholders, users or the public about the breach.

While senior executives and legal staff were aware of the incident, only 26 specifically targeted users were affected. It was later learnt that the scale of the breach was far bigger, potentially affecting 500 million users.

 

The report notes:  “It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team.”

 

While Yahoo's information security team knew that the adversary had stolen copies of user database backup files which contained personal data, “it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.” It was, according to an independent review, “ failures in communication, management, inquiry and internal reporting” which led to the 2014 breach not being disclosed until around two years later.

 

Included in the 10-K is the revelation that that 32 million users were affected over 2015 and 2016 by the now-invalidated forged cookies. The report that could allow access to accounts without passwords.

Yahoo believes the cookies to have been created from proprietary code stolen from Yahoo and are connected to the state-sponsored actors responsible for the long-quiet 2014 breach.  

The public disclosure of the breach was closely followed by another; that Yahoo had been hit again which attackers making off with the information of 1 billion accounts. The breach was labelled by some as the biggest breach ever recorded.

 

Last week it was announced that Yahoo's final sale price in its acquisition by global media giant, Verizon would be discounted by US$ 350 million (£285 million). The deal was worked out in light of Yahoo's disclosures of the two breaches and the attendant legal problems that Verizon would have to adopt along with the company.  Mayer will resign as Yahoo CEO once the sale is formally approved.

 

Getting the board to pay attention to security has long been a concern of IT security professionals. Paul Edon, director at Tripwire, told SC Media UK that this sets an interesting precedent: “Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing.  This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have.”

 

Paul Calatayud, CTO at FireMon told SC: “When Yahoo's CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEOs to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organisation.”

 

By Max Metzger

https://www.scmagazineuk.com/yahoo-ceo-forgoes-bonus-as-32-million-breach-victims-revealed/article/641511/

 

Link to comment
Share on other sites


  • Replies 2
  • Views 492
  • Created
  • Last Reply
On 3/3/2017 at 9:16 AM, steven36 said:

Yahoo's general counsel, Ronald Bell also resigned over the failure to report the breach.

 

I was part of a meeting 10 years ago concerning a possible breech of an organization that I discovered during a forensic investigation.  According to the laws that were in existence at the time, the lawyers advised the organization that if they said there was no breach, there was no breach, and as such no further investigation into the possible breach was allowed to be conducted.  There is a reason why lawyers are always compared to snakes in the grass or sharks in the ocean, neither of which speak well of the profession as a whole.

 

I am surprised that Marissa didn't start screaming about equality since I can't think of any similar action taken against a male CEO though there should have been.  Usually it is just the Security Officer that takes the heat.  And usually the breach happened because the Security Officer was directed by the CEO not to implement something, that while protecting the organization, would cause the users to have to change the way they work. And I have little faith in the honesty of Marissa's blog post being how she really feels.  Giving up her bonus and equity was probably the only thing that saved her job.  A Board of Directors can be a very convincing entity when they say it is the money or your job.  

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...