Yahoo! dysfunction! meant! security! warnings! were! ignored!
Investigation reveals 32 million accounts were attacked with forged cookies, costing CEO Marissa Mayer her bonus
Yahoo!'s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company's reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due to her this year.
News of the decisions and Yahoo!'s investigation into the hacks emerged today with the publication of the company's Form 10-K, the warts-and-all documents US public companies are required to file each year to disclose just about any risk they face.
The 10-K summarises the results on and Independent Committee's investigation of the 2014 hack and the news isn't good for Yahoo! because the investigators "... concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016."
"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool," the 10-K says, explaining that while the company "took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement" those efforts weren't sufficient.
The filing offers this observation about Yahoo!'s conduct:
...it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.
It gets worse, as the 10-K also offers the following analysis:
Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.
There's a tiny ray of sunshine in that the Independent Committee "did not conclude that there was an intentional suppression of relevant information."
But the investigators did find "... that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident."
And those risks were substantial, because the 10-K reveals that the forensic experts it hired to look into the creation of forged cookies that could allow an intruder to access users’ accounts without a password has found that "an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies."
"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016," the 10-K filing states.
The good news is that Yahoo! has "invalidated" those cookies "so they cannot be used to access user accounts."
The bad news is that the investigation found "... failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters."
Marketers for information security companies and governance educators probably want to have those remarks framed.
The rest of us won't: Mayer's bonus is US$2m and her equity grant is usually about $12m of stock. That's peanuts compared to the US$350m Verizon has trimmed from its offer to buy Yahoo!. Mayer's lost haul is probably also well below the company's bill for lawyers to fight the "approximately 43 putative consumer class action lawsuits" the form 10-K says have been filed to date regarding the 2014 security breach.
Yahoo! doesn't think they will amount to much: the filing says "... the Company does not believe that a loss from these matters is probable and therefore has not recorded an accrual for litigation or other contingencies relating to the Security Incidents." ®
Sponsored: Becoming a Pragmatic Security Leader