Yahoo has admitted that senior executives knew about a hack by a state-sponsored attacker back in 2014, before it entered a $4.8bn deal with Verizon last summer.
An investigation by an independent committee found that Yahoo’s senior executives and relevant legal staff knew about the state-sponsored hacker but did not “properly comprehend or investigate” the full extent of what was known by Yahoo’s information security team. Yahoo announced in September 2016 that it had evidence of the 2014 breach, which affected up to 500m accounts.
Marissa Mayer, Yahoo chief executive, said she would forgo her 2016 bonus because senior executives failed to take appropriate action under her tenure. Ronald S. Bell, Yahoo’s general counsel and secretary, will resign without any pay-offs from today.
“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies,” Ms Mayer said.
Yahoo last month agreed to cut the price of its sale to Verizon by $350m and take on liability for potential lawsuits related to the cyber attack. In its filing on Wednesday, Yahoo also said it had adopted new processes and structures to improve its response to security incidents.