Yahoo chief counsel exits after hack probe finds inaction
San Francisco: Yahoo! Inc. general counsel Ronald Bell has left the company after an investigation of security breaches found the legal team had enough information to warrant further inquiry but didn’t sufficiently pursue it, according to a key report ahead of the planned tie-up with Verizon Communications Inc.
Bell resigned on Wednesday and no payments are being made in connection with the move after an independent committee of the web portal’s board wrapped up a probe of a security hack in 2014 and subsequent related incidents, Yahoo said in a regulatory filing.
Chief executive officer Marissa Mayer also didn’t receive a cash bonus last year amid the investigations and the pending sale of the company’s web operations to Verizon. The committee found no intent to suppress information about the security breaches, but said key executives should have done more when the issues was discovered.
“In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the company’s account management tool,” Yahoo said in the filing. “The 2014 Security Incident was not properly investigated and analysed at the time, and the company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.”
Yahoo’s Mayer has been under pressure from users, investors and analysts since the company said last September that hundreds of millions of user accounts were exposed after the 2014 hack. The admission—and a subsequent discovery of a second breach—lead the company to reduce the price of its deal with Verizon by $350 million to $4.48 billion.
The reworked deal, expected to close in the second quarter, also means the telecom giant will share any ongoing legal responsibilities related to the security breaches.
“When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies,” Mayer wrote in a blog post on Tumblr. “However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees.”
The security breaches threatened the Verizon deal, have cost millions of dollars and spurred more than 40 lawsuits. The company also continues to work with the US Securities and Exchange Commission, the US Federal Trade Commission, the US Attorney’s Office for the Southern District of New York, and two state attorneys general.
The 2014 incident—first made public on 22 September 2016—affected about 500 million user accounts and prompted the company to launch an independent investigation. In December, the company also revealed that more than 1 billion user accounts had been hacked in a separate 2013 incident.
The probe found that after the 2014 incident, Yahoo notified 26 specifically targeted users and consulted with law enforcement. While “significant” security measures were implemented, “it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon” what the information security team knew. Specifically, the attacker exfiltrated copies of user database backup files containing the personal data, but it is unclear how well that discovery was communicated and understood outside the information security team.
Since then, the board has ordered actions to address security issues, including a revision of Yahoo’s technical and legal information security incident response protocols to help ensure escalation of cybersecurity incidents to senior executives and the board; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate.
Bell took over as general counsel about the time Mayer became CEO in 2012 after a tumultuous period in the company’s history. Since then, he has guided the company on legal matters such as how the web portal could separate from its valuable stakes in Asian internet companies Alibaba Group Holding Ltd and Yahoo Japan Corp. Bloomberg