It’s probably not going to affect her regular bill-paying routine, but Yahoo will be withholding a lot of bonus money–possibly as much as $2 million–from CEO Marissa Mayer because of her faulty supervision of two major security breaches in the last three years.
Those two well-chronicled security lapses exposed the personal information of more than 1 billion Yahoo users and cost the company $350 million in corporate value prior to its pending acquisition by Verizon Communications.
Mayer won’t be paid her annual bonus nor will receive a potentially lucrative stock award because an internal Yahoo investigation decided that her management team reacted too slowly to the first breach discovered in 2014.
The information became public knowledge in Yahoo’s annual report, filed March 1.
Company’s Legal Chief Resigns
Alongside this news, Yahoo’s general counsel, Ronald Bell, resigned March 1 without severance pay–ostensibly for his department’s slow response to the security issues. Alex Stamos, Yahoo’s chief security officer at the time of the 2014 breach, left the company a year later.
Yahoo also is being investigated by the U.S. Securities and Exchange Commission regarding allegations it was slow to tell its investors about the hacks.
Yahoo admitted two major intrusions in 2016. One involving 500 million records was reported in August, and another involving 1 billion records was reported in December. The breach reported in August likely occurred in 2014, while the latter breach likely happened in 2013. The size of the breaches stunned security experts and threatened to derail the proposed buyout completely.
Even though Yahoo’s security team found evidence that a hacker backed by an unnamed state-sponsored agent had accessed into user accounts in 2014, company decision-makers failed to act quickly enough with that knowledge, according to the results of an internal investigation included in the report. At the time, Yahoo managed to notify a mere 26 people that their accounts had been breached.
Legal Department Criticized
The report didn’t identify any negligent executives by name, but it blasted the company’s legal department for not looking more deeply into the 2014 breach. Due to that, the event “was not properly investigated and analyzed at the time,” the report said.
Yahoo didn’t disclose the 2014 breach until last August when it began notifying at least 500 million users that their email addresses, birth dates, answers to security questions, and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about 1 billion accounts, including some that were also hit in 2014.
The breaches, the two biggest in internet history, have already taken a major toll. Yahoo was forced to lower the sales price of its home site, email and other digital services to Verizon Communications from $4.83 billion to $4.48 billion to account for the potential backlash from the breaches.
More than 40 lawsuits also have been filed seeking damages for the breaches. If Yahoo’s sale to Verizon is completed as expected later this year, a new corporate entity called Altaba Inc. will be responsible for paying those legal claims.
Mayer Responds in Blog Post
In a post on Yahoo’s Tumblr blog service, Mayer said she didn’t know about the scope of the breaches until September and then tried to set things right–but it apparently was too late.
“However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant,” Mayer wrote in the post.