Yahoo has faced multiple breaches within the last six months, which has affected its merger with Verizon severely. But now the situation has become more intense, as reports revealed that the Yahoo's CEO had to distribute her own bonus among employees and the senior counsel had to resign, following an internal investigation by the company regarding the recorded hacks.
As per Business Insider, Yahoo conducted an internal investigation and has concluded that its executives did not handle the security breaches accurately. One of such breaches even resulted in the theft of users' information that includes their names, phone numbers and even dates of birth.
Yahoo has also disclosed on its yearly report on 1 March that the company could be facing criminal penalties due to the incident. Apparently, several government agencies are now looking into the matter. Additionally, Yahoo is already facing 43 putative consumer class action lawsuits in relation to the hackings.
Verizon, the company which is supposed to acquire Yahoo has already reduced its offer multiple times due to the disclosed breaches. The initial $4.8 billion acquisition offer has already seen a $350 million discount.
As a result of all these messes, Marissa Mayer, the CEO of Yahoo didn't get her 2016 bonus worth around $2 million and on top of that, she voluntarily surrendered her 2017 bonus along with her approximately $12 million equity grants. This amount will be distributed to the Yahoo employees.
Ronald Bell, on the other hand, had to resign from his role as the general counsel of the company. Yahoo said, "no payments are being made to Mr. Bell in connection with his resignation." According to Recode, it's like "he (Ronald Bell) is the scapegoat, the fall guy, the one who has to suck it up for Mayer."
Here is what Mayer said:
"As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016."
The reaction to the announcement by Yahoo on social media was swift and decidedly anti-Mayer and pro-Bell, which, interestingly included tweets from Twitter's chief legal officer Vijaya Gadde.
I don't know what happened at Yahoo but I know it's easy to blame the lawyers. I also know that Ron Bell is a good lawyer. https://t.co/gMZEslD2qe
— Vijaya Gadde (@vijaya) March 1, 2017
Also former Yahoo exec Scott Moore:
Ridiculous. I know @ronsbell_tech who is a good man and as a lawyer he wasn't in charge of security @Yahoo #lame CYA move @marissamayer https://t.co/CLHkGygTEb
— Scott Moore (@scottm00re) March 2, 2017
The key points of Yahoo's 10-K regulatory filing on March 1, which unveiled the actions on the security incidents, are as follows:
- Based on its investigation, the Independent Committee concluded that the Company's information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016.
- In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool.
- The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement.
- While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team.
- The Independent Committee did not conclude that there was an intentional suppression of relevant information.
- Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.
following the company's internal investigations regarding the recorded hacks