Owning the Breach: Yahoo CEO Loses Bonus, Equity to Atone
There hasn’t been much to admire about Yahoo’s handling of serial data breaches. Docking CEO Marissa Mayer’s bonus is one decision others should follow.
There hasn’t been much to admire about Internet giant Yahoo’s handling of serial data breaches at the company, but the company’s decision to dock CEO Marissa Mayer an annual bonus and her decision to forego an equity grant worth millions of dollars to atone for the security lapses is one move that other firms and executives would do well to mimic.
In a filing with the Securities and Exchange Commission on Wednesday, Yahoo said that its Board of Directors “determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her.” The value of the bonus was not disclosed.
That decision followed the report of an independent committee appointed by Yahoo which concluded that Yahoo’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016, and that senior executives and legal staff were aware – at the time – that a state-sponsored actor had “accessed certain user accounts by exploiting the Company’s account management tool.” Still, senior executives – presumably including Mayer – “did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.”
Separately, Mayer opted to forego an annual equity grant from Yahoo. Writing on her Tumblr blog on Wednesday, Mayer defended her handling of the serial security lapses, saying that she worked diligently with Yahoo’s team to disclose the data breach incident to the company’s users, regulators and government agencies after learning of it in September 2016. But the CEO also took responsibility for the incident, which took place under her tenure.
To atone, Yahoo’s celebrity CEO said she would donate her annual equity grant back to the company and asked for it to be redistributed to Yahoo’s “hardworking employees, who contributed so much to Yahoo’s success in 2016.” The value of that grant is estimated to be millions of dollars.
Now, I know what you’ll say in response: “big deal.” After all, Yahoo’s handling of the hacks that affected billions (with a “B”) of users has, thus far, been an exercise in folly. The company downplayed or overlooked a string of massive breaches that netted cybercriminals and state actors access (potentially) to hundreds of millions of Yahoo user accounts. And, given the epidemic of credential re-use, it’s likely that the information stolen from Yahoo opened the door to other online services, as well. As recently as two weeks ago, the company was notifying users that hackers were forging “cookies” to gain access to their accounts using information compromised in the hacks.
By Yahoo’s own account, its information security team understood that the attacker targeting the company had “exfiltrated copies of user database backup files containing the personal data of Yahoo users” as early as December 2014. But the independent committee found that “it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
The result: Yahoo got a $350m haircut in its planned acquisition by Verizon, which will now go through with a price tag of $4.48 billion – all for an Internet property that once had a market capitalization of close to $110 billion.
So what’s good about the Board’s decision (and Mayer’s)? It sets an important precedent that breaches and other security lapses matter. Of course, we all know they “matter,” but when it comes to accountability, the buck often stops far short of the Chief Executive’s desk.
Indeed, among the companies experiencing the largest and most damaging breaches – Home Depot, Anthem Healthcare, TJX – most senior executives in charge during the breach remained in their positions after, and there’s little evidence of chief executives taking it on the chin financially for their company’s failure to secure its customer data. Target Stores is, of course, the exception: CEO, President and Chairman Gregg Steinhafel resigned from those positions in May 2014, following revelations of massive data breaches as well as slipping sales at that company. That’s not typical. More typical are cases like health insurer Anthem. As this recent article at Axios.com notes, Anthem executives have not addressed the cyber-attack in any earnings call since it was disclosed. As CEO Clemenza might have said: ‘Data breach? Won’t see him no more!’
So Yahoo’s move and Mayer’s mark something of a change. They are recognition, at the very least, that security lapses don’t begin and end in the information technology department. Indeed, as information security becomes a C-level priority, the corollary should be that security lapses have C-Suite accountability, as well. The Yahoo Board’s decision and Mayer’s support that notion. We’ll see if other companies follow suit.