February 28, 2017
Since Yahoo disclosed two mega-breaches late last year, its executives have met almost daily with CEO Marissa Mayer for working sessions focused on improving the company’s cybersecurity posture. Employees have also received weekly security presentations from Yahoo CISO Bob Lord at the company’s all-hands meetings. The new working sessions and briefings are part of an internal effort to promote a security culture as the company approaches its upcoming acquisition by Verizon.
But the executive-level concern over security may be seen as too little, too late by a Senate committee that is questioning Yahoo on its reaction to the breaches. Data from over 1 billion accounts was stolen from Yahoo in 2013, data from 500 million accounts was stolen in 2014, and attackers used forged cookies to access user accounts without a password in 2015 and 2016.
Senators John Thune and Jerry Moran sent Yahoo a stern letter earlier this month demanding answers about the company’s response to the breaches after Yahoo canceled a scheduled briefing with staff from the Senate Committee on Commerce, Science and Transportation. The committee sought information about “the nature of the incident, those affected, and steps the company had taken to identify and mitigate consumer harm, beyond what was already known publicly.” Yahoo has finally responded with a handful of new details about the massive security incidents.
In addition to Mayer and Lord’s increased engagement with staff, here’s what we now know about the two breaches and their aftermath:
- Yahoo’s cooperation with law enforcement is broader than we realized. The company is cooperating with federal, state and foreign government officials regarding the breaches. Yahoo had previously stated that it learned of the theft of data from over 1 billion accounts from a law enforcement agency, which notified Yahoo that user data had surfaced online.
- Most of the accounts involved in the 2013 breach were also involved in the 2014 breach. Yahoo has previously been vague about the total number of accounts affected, citing its ongoing investigation into the matter.
- Yahoo has hired a risk management executive to focus on security. “Yahoo has formalized the role of and hired a functional leader for risk management whose chief mandate is to mature Yahoo’s formal information risk management security program,” Yahoo told the committee. A Yahoo spokesperson declined to name the new hire.
- Yahoo is growing its Advanced Persistent Threat team to better address state-sponsored attacks. Yahoo attributed the 2013 hack and the cookie forging activity to a state-sponsored attacker and is expanding its team that tracks APT campaigns. Yahoo also follows the NIST Cybersecurity Framework that recommends best security practices for businesses, takes a “kill chain” approach to attack detection, funds a red team to attack its own products and has a bug bounty program to support vulnerability research.
- Rather than allowing Mayer or other executives to brief the Senate Committee, Yahoo will offer a briefing from an independent committee formed by its board of directors to investigate the breaches. Chris Masden, Yahoo’s assistant general counsel, had previously spoken with the committee, but it seems like Yahoo wants a little more distance between its employees and the Senate. Referring questions to the Board of Directors’ committee lets Yahoo offer a more unbiased account, and keeps Yahoo employees from speaking publicly before the Verizon deal is finalized.
However, unanswered questions remain about the timeline of the breaches and their disclosure to consumers.
Yahoo says it didn’t know about the 2013 breach until it was approached by law enforcement in Nov. 2016, but the company learned about the 2014 incident the same year it happened — leading to questions about why the breach wasn’t announced until two years later.