Senior Yahoo executives knew about major hack in 2014

Knowledge predated $4.8bn deal with Verizon, which has since been revised

Yahoo chief executive Marissa Mayer said she would forgo a target bonus for 2016 of $2 million. Photograph: Getty

Yahoo chief executive Marissa Mayer said she would forgo a target bonus for 2016 of $2 million. Photograph: Getty

 

Yahoo admitted on Wednesday that senior executives knew in 2014 about a hack by a state-sponsored attacker, before it entered a $4.8 billion (€4.5 billion) deal with Verizon last summer.

Marissa Mayer, Yahoo chief executive, said she would forgo a target bonus for 2016 of $2 million and at least $12 million in equity awards because senior executives had failed to take appropriate action under her tenure. She hopes the bonus will be distributed to employees.

Ronald S Bell, Yahoo’s general counsel and secretary, resigned without any pay-offs with effect from Wednesday. Mr Bell had been a lawyer for Yahoo since 1999, when he joined from Apple.

An investigation by an independent committee that has just been completed found that Yahoo’s senior executives and relevant legal staff knew about the state-sponsored hacker but did not “properly comprehend or investigate” the incident to the full extent of what was known by Yahoo’s information security team. The committee did not conclude there was any intentional suppression of relevant information.

500m accounts

Yahoo announced in September 2016 that it had evidence of the 2014 breach, which affected up to 500 million accounts. Last December, the company said it had discovered a second large data breach, affecting up to 1 billion accounts.

“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement, as well as to the 26 users that we understood were impacted,” Ms Mayer said.

“When I learnt in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies.”

Yahoo last month agreed to cut the price of its sale to Verizon by $350 million, becoming one of the first major US companies to revise deal terms because of a cyber attack. The attack had caused months of renegotiation, as Verizon worried that it could have an affect on the business and Yahoo responded with data showing users had stuck with the company after the announcement.

Under the new terms of the deal, which is set to close in the second quarter, Yahoo will be wholly liable for potential lawsuits related to the attack. The companies will equally share responsibility for any cash liabilities linked to data breaches.

In its filing on Wednesday, Yahoo said it had adopted new processes and structures to improve its response to security incidents.

Shares in Yahoo dipped 0.4 per cent in after-hours trading to $46.24, while Verizon stock fell 0.7 per cent to $49.81.

– Copyright The Financial Times Limited