The company did not fully disclose the details of the security breach, which Yahoo said was state-sponsored, until September 2016. The investigation, by a committee of independent members of the board (independent committee), found that the executives that were aware of the breach did not adequately inform Yahoo’s audit and finance committee and the full board of the full severity, risks, and potential impacts of the 2014 data breach.
The security information team at Yahoo knew about the breach which involved the theft of user account information which included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The team was also aware of incidents by the same attacker involving cookie forging in 2015 and 2016.
While significant additional security measures were implemented in response to those incidents, the investigation found that senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team. However, the independent committee did not conclude that there was an intentional suppression of relevant information.
The company’s annual reported stated: “In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement.”
However, the independent committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security breach. Yahoo also reported that in a separate incident in August 2013 an unauthorised third party stole data associated with more than one billion user accounts.
The company is also facing around 43 consumer class action lawsuits, four stockholder derivative actions and one putative stockholder class action, and said that it could face further claims or lawsuits. It is also being investigated by a number of federal, state, and foreign governmental officials and agencies.
As a result of the cyber security incidents and the independent committee’s findings and recommendations, the company is to improve its response to and internal reporting of cyber security breaches.
Verizon Communications is in the process of buying Yahoo. Last month the companies agreed on a reduced price of $4.48 billion, $350m less than the price offered last year for Yahoo partly due to the impact of the cyber security breaches. The companies have also agreed that Yahoo will be responsible for 50% of any cash liabilities incurred following the closing related to non-SEC (Securities and Exchange Commission) government investigations and third-party litigation related to the breaches. Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo, the companies said. The deal is expected to be concluded by June this year.