Yahoo continues to face the aftermath of a massive data breach that targeted the company in 2014, in which at least 500 million user accounts were stolen.
On March 1, Ronald Bell resigned as general counsel and secretary and from all other positions with the company; CEO Marissa Mayer will not be paid her annual bonus; and, following the findings of several internal failings, an internal investigations committee has directed the company to implement a number of corrective actions. All of this comes from Yahoo’s Form 10-K report, issued March 1.
Those latest updates are just what’s happening within the company internally. Externally, 43 consumer class-action lawsuits have been filed, to date, against Yahoo in U.S. federal and state courts, and in foreign courts, relating to the data breach.
In addition, the company said it continues to cooperate with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the security incidents and related matters. These agencies include the Securities and Exchange Commission, the Federal Trade Commission, the U.S. Attorney’s Office for the Southern District of New York, and two state attorneys general.
All of this follows a disclosure Yahoo made in September 2016 that a copy of certain user account information for approximately 500 million user accounts was stolen from Yahoo’s network in late 2014. The company believes the user account information was stolen by a state-sponsored actor. “We have no evidence that the state-sponsored actor is currently in or accessing the company’s network,” Yahoo said in its latest quarterly filing.
The user-account information stole included names, e-mail addresses, telephone numbers, birth dates, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
More data breaches
Even more damning is that Yahoo disclosed on Dec. 14, 2016 that, based on an outside forensic expert’s analysis of data files provided to the company in November 2016 by law enforcement, “we believe an unauthorized third-party stole data associated with more than one billion user accounts in August 2013.”
“We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 security incident,” Yahoo said.
For potentially affected accounts, the user account information stolen included names, e-mail addresses, telephone numbers, birth dates, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. “The stolen information did not include passwords in clear text, payment card data, or bank account information,” Yahoo stated.
Outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies.
“The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016,” Yahoo said. “We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident. The forged cookies have been invalidated by the company so they cannot be used to access user accounts.”
As previously disclosed, an independent committee of the board of directors investigated the security incidents and related matters, including the scope of knowledge within the company in 2014 of access to Yahoo’s network by the state-sponsored actor responsible for the theft and related incidents, the company’s internal and external reporting processes, and remediation efforts related to the security incident.
The independent committee was assisted by independent counsel, Sidley Austin, and a forensic expert. The board has separately been advised by other outside counsel regarding the security incidents and recommendations regarding remedial actions.
Based on its investigation, the independent committee concluded that the company’s information-security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the company’s account management tool.
The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. “While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team,” Yahoo stated.
Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the independent committee did not conclude that there was an intentional suppression of relevant information.
“Nonetheless, the committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it,” according to Yahool. “As a result, the 2014 security incident was not properly investigated and analyzed at the time, and the company was not adequately advised with respect to the legal and business risks associated with the 2014 security incident.”
The independent committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident. The committee also found that the audit and finance committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 security incident and related matters.
In response to the independent committee’s findings related to the security incident, the board determined not to award Mayer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the board, Mayer offered to forgo any 2017 annual equity award given that the 2014 security incident occurred during her tenure, and the board accepted her offer.
Furthermore, in response to the independent committee’s findings and recommendations, the board has directed the company to implement or enhance a number of corrective actions, including:
Revising its technical and legal information-security incident response protocols to help ensure escalation of cyber-security incidents to senior executives and the board of directors;
Rigorous investigation of cyber-security incidents and engagement of forensic experts as appropriate;
Rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate;
Comprehensive risk assessments with respect to cyber-security events;
Effective cross-functional communication regarding cyber-security events;
Appropriate and timely disclosure of material cyber-security incidents; and
Enhanced training and oversight to help ensure processes are followed.
Yahoo, with the assistance of outside forensic experts, has concluded its investigation of the security incidents. The company continues to work with U.S. law enforcement authorities on these matters.
Yahoo said it recorded expenses of $16 million related to the data breach in the year ended Dec. 31, 2016, of which $5 million was associated with the ongoing forensic investigation and remediation activities, and $11 million was associated with “non-recurring legal costs.”
Additionally, Yahoo said it has incurred additional expenses related to the data breach “to investigate and take remedial actions to notify and protect our users and systems, and expect to continue to incur investigation, remediation, legal, and other expenses associated with the security incidents in the foreseeable future.”
The company noted that does not have cyber-security liability insurance.