An independent committee investigation of two major Yahoo data breaches found the company failed to properly investigate hacks that compromised more than a billion user accounts, according to a filing submitted to the U.S. Securities and Exchange Commission (SEC). In response to the investigation, Yahoo made a number of leadership changes.
It's Yahoo’s lawyer that will pay the biggest price for the revelations of the cybersecurity shortcomings. Yahoo general counsel Ronald Bell resigned after the SEC report found Yahoo’s "legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it," according to a Yahoo regulatory filing.
In response to the incident, Yahoo CEO Marissa Mayer said she worked with a team to disclose the incident to users regulators and government agencies, according to her Tumblr post Monday. But as a result of the incident, Meyer said, "I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees." According to Yahoo, Mayer is eligible to receive a bonus of up to $2 million each year.
Yahoo’s problems hail back to forged browser cookies and the breach of 26 accounts that consequently opened the company’s account management tool and exposed many more accounts, according to outside investigators. The investigation found that although Yahoo knew about the 26 accounts, they did not investigate the incident broadly or quickly enough, allowing it to grow into a much bigger problem.
Prevention and thorough investigations truly are the best medicine. The fallout from the Yahoo breaches is enormous. Looking at dollar figures alone, Yahoo says its spent $16 million on legal expenses so far, and that could soon climb much higher as the company prepares to deal with more than 40 lawsuits filed against it. Yahoo's handling and disclosure of the breaches is also currently under investigation by the Federal Trade Commission.
The loss of her bonus equates to little more than a slap on the wrist for Mayer, who gets to keep her job and already makes millions each year. Bell appears to be the true scapegoat here, as it’s clear Meyer and other Yahoo executives could have done much more once they learned about the breaches.
Cybersecurity issues are becoming a bottom line issue for businesses. Experts agree there are now stakeholders across lines of business who have organizational security top of mind, including CEOs, CFOs, general council, CIOs and chief risk officers.