Equifax, Yahoo fail to answer the most basic questions during Senate hearing

Senators were left frustrated as Yahoo didn't know how it was hacked, and Equifax still didn't know who.
Written by Zack Whittaker, Contributor

Former Yahoo chief executive Marissa Mayer. (Image: pool photo)

Former Yahoo and Equifax bosses stumbled through a Wednesday hearing before the Senate Commerce Committee without answering basic questions about their respective massive data breaches, much to the chagrin of questioning lawmakers.

Marissa Mayer, who led Yahoo until she left earlier this year with a $260 million payout after the web giant was bought by Verizon, wasn't able to tell senators how hackers were able to steal the company's entire store of three billion user accounts during a breach in 2013.

Yahoo disclosed the hack last year, after initially saying only one billion accounts were stolen.

She also wasn't able to say who was to blame for the attack, or why it took three years to learn of the breach.

What makes the Yahoo affair more confusing is that months before the disclosure, the company admitted it had been hacked in an entirely separate breach from 2014, in which 500 million user accounts were stolen.

Mayer recast blame on Russian hackers for the 2014 breach. Justice Department prosecutors filed charges against four Russians, including two intelligence officials and two other hackers.

But while Mayer lacked answers, she countered with contrition.

"As CEO, these thefts occurred during my tenure," said Mayer, during her opening remarks. "I want to sincerely apologize to each and every one of our users."

Sen. Brian Schatz (D-HI) was less than forgiving, who said that it was "unfathomable" Mayer walked away with a payout that amounts to a what "small city" uses for its annual operating budget.

Richard Smith, meanwhile, who retired earlier this year after the catastrophic data breach at credit agency Equifax, which affected more than 145 million Americans, couldn't tell senators who was behind the attack.

The company lost control of social security numbers, birth dates, home addresses, and in some cases, driving license information, as well as hundreds of thousands of credit card numbers and other personally identifiable information.

Not only did the company draw ire for taking six weeks to inform its customers of the breach, senior executives also took flak for selling millions of dollars' worth of stock before notifying the public. An internal company committee later cleared the executives of any wrongdoing.

But chief among the complaints was that the company failed to fix a flaw that gave the hackers access to the company's systems in the first place.

The company said in September that it knew that hackers exploited a vulnerability in its website, citing a known vulnerability in Apache Struts, a popular web server software. The bug had been patched earlier in March, but Smith said the patches hadn't been installed on its servers.

Sen. Gary Peters (D-MI) said that experts he spoke to said the breach was "not a sophisticated attack," and criticized the company for the oversight.

"I can't think of a clear definition of gross negligence," said Peters. "You don't take the precautions when a [vulnerability] roadmap has been put out?"

Equifax's interim chief executive Paulino Barros said that the company now spends four-times as much on cybersecurity than it did prior to the breach.

Editorial standards