Yahoo CEO Mayer Loses Bonus And Lawyer Resigns On Security Breach

(RTTNews) - Yahoo Inc.(YHOO) disclosed in a regulatory filing Wednesday that Chief Executive Marissa Mayer will take a pay cut after a board investigation found that she and other senior executives failed to "properly comprehend or investigate" a 2014 security breach that hit more than 500 million accounts.

In response to the Independent Committee's findings related to the 2014 Security Incident, the Board determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the Board, the Chief Executive Officer offered to forgo any 2017 annual equity award given that the 2014 Security Incident occurred during her tenure and the Board accepted her offer.

On March 1, 2017, Ronald Bell resigned as the Company's General Counsel and Secretary and from all other positions with the Company. No payments are being made to Mr. Bell in connection with his resignation.

Additionally, in response to the Independent Committee's findings and recommendations, the Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.

On September 22, 2016, the companydisclosed that a copy of certain user account information for approximately 500 million user accounts was stolen from Yahoo's network in late 2014. The Company believes the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The forensic investigation indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected.

On December 14, 2016, the company disclosed that it believes an unauthorized third party stole data associated with more than one billion user accounts in August 2013. It has not been able to identify the intrusion associated with this theft, and It believes this incident is likely distinct from the 2014 Security Incident. For potentially affected accounts, the user account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include passwords in clear text, payment card data, or bank account information.

In November and December 2016, the company disclosed that outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the investigation, the company believes an unauthorized third party accessed the Company's proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 . The company believes that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.

The Company, with the assistance of outside forensic experts, has concluded its investigation of the Security Incidents. The Company continues to work with U.S. law enforcement authorities on these matters.

The Company noted that it recorded expenses of $16 million related to the Security Incidents in the year ended December 31, 2016, of which $5 million was associated with the ongoing forensic investigation and remediation activities and $11 million was associated with nonrecurring legal costs. The Security Incidents did not have a material adverse impact on business, cash flows, financial condition, or results of operations for the year ended December 31, 2016. However, the company have subsequently incurred additional expenses related to the Security Incidents to investigate and take remedial actions to notify and protect users and systems, and expect to continue to incur investigation, remediation, legal, and other expenses associated with the Security Incidents in the foreseeable future.

The company will recognize and include these expenses as part of our operating expenses as they are incurred. The Company does not have cybersecurity liability insurance.

To date, approximately 43 putative consumer class action lawsuits have been filed against the Company in U.S. federal and state courts, and in foreign courts, relating to the Security Incidents.

In addition, the Company said it is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incidents and related matters, including the U.S. Securities and Exchange Commission, the U.S. Federal Trade Commission, the U.S. Attorney's Office for the Southern District of New York, and two State Attorneys General.

Based on its investigation, the Independent Committee concluded that the Company's information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.

However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.

Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.