Yahoo's security follies add up to real money: Will companies learn from Yahoo's mistakes?
The cliché in recent years is that cybersecurity has become a boardroom issue. It's one thing to say that and quite another to take the financial hit that proves the theory.
Thank you, Yahoo.
Yahoo's security screw-ups are well documented. The latest is that intruders used forged cookies to access 32 million user accounts without a password. Yahoo started warning customers in February about the forged cookies.
Add it up and Yahoo has disclosed two attacks -- one for 500 million and another for 1 billion. Yahoo now is in the cybersecurity follies hall of fame.
Also: After hacks, Verizon cuts Yahoo price by $1.55 per customer | Yahoo warning users that hackers forged cookies to access accounts | Yahoo says 32m user accounts were accessed via cookie forging attack | Yahoo confirms data breach affecting 500 million accounts, claims state actor behind attack | Yahoo hacked again, more than one billion accounts stolen
But none of these attacks would have mattered if it didn't cost Yahoo -- and its executives -- money. The reality of cyberattacks is that companies don't take much of a financial hit when customer data is compromised. Why? Insurance can cover much of the hit. Sales may slip a bit. But for the most part, life goes on. A few heads roll, and business resumes as usual.
Yahoo is actually taking a financial hit, and that means it's quite possible that cybersecurity will really be a boardroom issue. After all, executives tend to like their bonuses and stock grants.
See: Online security 101: Tips for protecting your privacy from hackers and spies
First, Verizon shaved $350 million from the price it'll pay for Yahoo. And now Yahoo CEO Marissa Mayer will take a financial haircut (sure, it's largely symbolic, but it's a start). Mayer said:
As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016.
Legal chief Ronald Bell also resigned without any payments from Yahoo. Yahoo's annual report highlight an independent committee's findings about the cyberattacks, which date back to 2014. Yahoo said in a filing:
In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.
That passage stings and is likely to serve as a reminder to other companies that they have to take cybersecurity more seriously and associate financial penalties with breaches. It remains to be seen how much corporations ultimately learn from Yahoo's mistakes.
VIDEO: What Verizon's data breach tells us about the state of IoT security
VIDEO: Surviving ransomware -- without losing customers