Yahoo’s quarterly SEC filings have been the only window into the massive data breaches that have exposed more than 1.5 billion records in the past four years. This week, Yahoo’s Q4 2016 filing was made public, and the view got uglier.
The company admitted to the SEC and its investors that its security team was aware of the account compromises and the use of forged Yahoo cookies by an alleged state-sponsored actor, but executives ignored the gravity of the situation.
“While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team,” Yahoo said in its filing.
Yahoo has admitted in past disclosures that going back as far as 2013, its networks had been compromised and more than 1 billion user account records were stolen. Yahoo said the attackers targeted 26 user accounts, those account holders were notified and investigations were launched. In this week’s filing, Yahoo said that as of December 2014, its security team knew copies of user database backup files were stolen, but was unsure how well that was communicated and understood outside the security team. Yahoo’s investigators said the information was not intentionally suppressed.
“Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident,” Yahoo said in its filing. “The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters.”
Yahoo’s string of disclosures around these attacks began last September when it said that 500 million user account records were stolen in late 2014. In December, Yahoo said more than 1 billion user records were stolen in August 2013; Yahoo admitted in the filing it still has not been able to identify how the attackers penetrated its network and that this attack is “likely distinct” from the 2014 attack. The attackers were able to access servers containing proprietary Yahoo code and learned how to forge its cookies in order to access 32 million accounts without authorization.
Yahoo said that 43 consumer class action lawsuits have been filed related to the breaches. The breaches also apparently cost General Counsel Ronald Bell his job. Bell resigned yesterday and no severance is coming his way, the filing said. The board also determined that CEO Marissa Mayer would not earn her cash bonus for last year and that her 2017 equity award would not be handed out; Mayer asked that her bonus be distributed to employees.
Hanging over all of this is Verizon’s impending acquisition of Yahoo. The breaches put into question whether the deal would happen at all before the two parties agreed to cut the asking price by $350 million; originally the two had agreed on a $4.8 billion price tag.
Some security experts question Yahoo’s conclusion that a state-sponsored attacker is responsible for the breaches. InfoArmor executive Andrew Komarov blames a cybercrime group known as Group E, an Eastern European and Russian-speaking outfit that sells stolen personal data to spammers. Komarov said in December that the database of one billion account records had been sold at last three times.