Senior Yahoo staff are feeling the repercussions of the company's problems as it discloses that 32 million users may have been affected by the aftermath of its 2014 mega breach.
Marissa Mayer, Yahoo's CEO, will personally lose her US$ 2 million (£1.6 million) bonus this year, along with her US$ 14 million (£11.4 million) equity grant which will go to Yahoo's 8,500 employees instead.
Mayer published a short blogpost on 1st of March saying that she only learnt of the breach in September 2016 but because the incident happened on her watch, “I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees.”
Yahoo's general counsel, Ronald Bell also resigned over the failure to report the breach. This news was revealed in the filing of the company's 10-K report in which Yahoo admits responsibility over failing to tell shareholders, users or the public about the breach.
While senior executives and legal staff were aware of the incident, only 26 specifically targeted users were affected. It was later learnt that the scale of the breach was far bigger, potentially affecting 500 million users.
The report notes: “It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team.”
While Yahoo's information security team knew that the adversary had stolen copies of user database backup files which contained personal data, “it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.” It was, according to an independent review, “ failures in communication, management, inquiry and internal reporting” which led to the 2014 breach not being disclosed until around two years later.
Included in the 10-K is the revelation that that 32 million users were affected over 2015 and 2016 by the now-invalidated forged cookies. The report that could allow access to accounts without passwords.
Yahoo believes the cookies to have been created from proprietary code stolen from Yahoo and are connected to the state-sponsored actors responsible for the long-quiet 2014 breach.
The public disclosure of the breach was closely followed by another; that Yahoo had been hit again which attackers making off with the information of 1 billion accounts. The breach was labelled by some as the biggest breach ever recorded.
Last week it was announced that Yahoo's final sale price in its acquisition by global media giant, Verizon would be discounted by US$ 350 million (£285 million). The deal was worked out in light of Yahoo's disclosures of the two breaches and the attendant legal problems that Verizon would have to adopt along with the company. Mayer will resign as Yahoo CEO once the sale is formally approved.
Getting the board to pay attention to security has long been a concern of IT security professionals. Paul Edon, director at Tripwire, told SC Media UK that this sets an interesting precedent: “Whether or not this is a well orchestrated PR stunt from Mayer, it shows that data breaches are a problem that the board needs to be responsible for fixing. This case also underlines the importance of involving the CISO in board-level discussions because their proximity to the internal challenges and understanding of the associated business risks can help the board to appreciate the impact any future breach could have.”
Paul Calatayud, CTO at FireMon told SC: “When Yahoo's CEO decided not to take her bonus, she accepted responsibility for failures from the breach. Some CEOs have been fired and it will be more common place for CEOs to be held accountable for breaches, especially if the CISO is smart enough to understand their true role within the organisation.”“The security breach and subsequent events that have unfolded at Yahoo have called into question the punitive process for companies that fail to properly disclose when customer data has been compromised," Michael Patterson, CEO of Plixer, told SC Media on Thursday. "Yahoo, under the leadership of Marissa Mayer, has negotiated a $5 billion sale to Verizon, while only paying $350 million in damages. It could be surmised that if the Yahoo breach had been disclosed prior to the Verizon deal, the sale price would have been impacted by far more than the $350 million in damages paid."
The lack of greater penalty is essentially an incentive not to pay for companies to publicly disclose security breaches, Patterson said. "Unfortunately in this case, the customers whose data was stolen will pay a bigger price than the company that failed to properly protect that data.”
“The Yahoo saga continues," Brad Bussie, director of product management at STEALTHbits Technologies, told SC on Thursday. "Clear signs back in 2014 and 2015 were apparent that something was amiss with corporate security. Hindsight is 20/20, but by looking back at several actions, we can help prevent similar breaches in the future."
First and foremost, he says, when a CISO resigns due to battles with the CEO about security policies and procedures, we need to stand up and take notice. "When a CISO position vacates this should immediately trigger a full independent audit of policies and systems. Perhaps this simple action would help mitigate the 'revolving chair' stigma the CISO job now carries with it."
Second, Bussie said, cyber incidents need to be disclosed to the board when they occur, not years later. "Think of this scenario like change management. We don't make changes without approval because of the potential impact a change can have on a business. The same goes for security. How can you properly handle a vulnerability or breach without all hands on deck? You can't, and Yahoo and others have proven it."
The bottom line, Bussie said, is we should treat the repeated breaches as valuable lessons. "The media will continue to talk about how those still left at Yahoo are being disciplined and losing bonuses/equity. In my mind, this is a bit like punishing a puppy for chewing on the furniture three years after it happened. The puppy doesn't even know why they are being disciplined anymore.”
It's easy to villainize a company or an executive for having a data leak, Terry Ray, chief strategist at Imperva, told SC, but he believes it's worth noting that many companies would have been unable to prevent a forged cookie. "The sad unfortunate truth about web applications is that most of them are not patched when they should be, almost all of them have components that rarely if ever get patched, and cookie attacks don't get the same level of attention as more common attacks, like SQL injection and cross site scripting."
Ray admitted he wasn't aware of what security controls Yahoo had in place protecting its web applications beyond standard coding practices, but he said they should have at least had a web application firewall capable of detecting cookie injection, unknown cookies and cookie tampering (forged cookies).
"If they didn't have web application firewalls in place – which have been mainstream for years – or if they had them installed, but didn't have them actively enforcing good behavior, I'd suggest this was due to budgetary or corporate strategic decisions made at high levels,” Ray said.
