- Marissa Mayer, former CEO of Yahoo, admitted that the company still does not know how the 2013 data breach was "perpetrated," during a testimony before the Senate Commerce, Science and Transportation committee in Washington, D.C. on Wednesday. She was joined by the Paulino do Rego Barros Jr., interim CEO of Equifax, and Richard Smith, former CEO of Equifax.
- Yahoo was a "victim" of a Russian state-sponsored attack, Mayer said. The company was "praised" for its proactivity and cooperation with federal agencies upon discovery of the attack, she said.
- Penalties should not be replaced by apologies, said Sen. Richard Blumenthal, D-CT. If Congress is able to hold bad actors accountable such as hackers, he said, companies and executives responsible for mishandling vulnerable data should also face civil penalties. New legislation proposed by the senator, the Data Breach Accountability and Enforcement Act of 2017, would enable the FTC to investigate any entity that discloses a data breach.
Current legislation is weak and does not effectively hold companies accountable for data negligence. The same is true for incentives to motivate companies to improve security practices.
Yahoo, now owned by Verizon, suffered a 2013 data breach that was initially believed to have impacted one billion users. It was later revealed all three billion users were compromised in October. Yahoo did not learn of the attack until a third party notified the company in 2014, according to Mayer's testimony.
The question circles back to redundancy measures and the culture of leadership in a company. Though Yahoo's admittance was for more transparency measures, Equifax's handling of its breach resulted in mounted scrutiny over the handling and notification measures.
Ultimately, patching is a sentiment deeply woven into the foundation of functional security. Without it, companies are likely to face increasingly sophisticated attacks with less armor to protect itself.
The structure of a company's leadership strongly affects IT. If communication between technical and C-suite officials is lacking, gaps in security practices will persist.
To remedy this structure, Barros said Equifax is taking steps towards strengthening its approach to data security as the CSO now reports directly to him. Additionally, he has appointed a chief transformation officer to oversee Equifax's post-breach resolution efforts.
As for Verizon's role in Yahoo's breach, the solution is a universal framework, including a standard for when and how impacted users are notified, according to Karen Zacharia, chief privacy officer at Verizon, at the congressional hearing. But she warned that notifications should not be too overwhelming, or it may prompt customers to stop paying attention.