Yahoo offers new details on breaches to Senate committee

Since Yahoo disclosed two mega-breaches late last year, its executives have met almost daily with CEO Marissa Mayer for working sessions focused on improving the company’s cybersecurity posture. Employees have also received weekly security presentations from Yahoo CISO Bob Lord at the company’s all-hands meetings. The new working sessions and briefings are part of an internal effort to promote a security culture as the company approaches its upcoming acquisition by Verizon.

But the executive-level concern over security may be seen as too little, too late by a Senate committee that is questioning Yahoo on its reaction to the breaches. Data from over 1 billion accounts was stolen from Yahoo in 2013, data from 500 million accounts was stolen in 2014, and attackers used forged cookies to access user accounts without a password in 2015 and 2016.

Senators John Thune and Jerry Moran sent Yahoo a stern letter earlier this month demanding answers about the company’s response to the breaches after Yahoo canceled a scheduled briefing with staff from the Senate Committee on Commerce, Science and Transportation. The committee sought information about “the nature of the incident, those affected, and steps the company had taken to identify and mitigate consumer harm, beyond what was already known publicly.” Yahoo has finally responded with a handful of new details about the massive security incidents.

In addition to Mayer and Lord’s increased engagement with staff, here’s what we now know about the two breaches and their aftermath:

  • Yahoo’s cooperation with law enforcement is broader than we realized. The company is cooperating with federal, state and foreign government officials regarding the breaches. Yahoo had previously stated that it learned of the theft of data from over 1 billion accounts from a law enforcement agency, which notified Yahoo that user data had surfaced online.
  • Most of the accounts involved in the 2014 breach were also involved in the 2013 breach. Yahoo has previously been vague about the total number of accounts affected, citing its ongoing investigation into the matter.
  • Yahoo has hired a risk management executive to focus on security. “Yahoo has formalized the role of and hired a functional leader for risk management whose chief mandate is to mature Yahoo’s formal information risk management security program,” Yahoo told the committee. A Yahoo spokesperson declined to name the new hire.
  • Yahoo is growing its Advanced Persistent Threat team to better address state-sponsored attacks. Yahoo attributed the 2013 hack and the cookie forging activity to a state-sponsored attacker and is expanding its team that tracks APT campaigns. Yahoo also follows the NIST Cybersecurity Framework that recommends best security practices for businesses, takes a “kill chain” approach to attack detection, funds a red team to attack its own products and has a bug bounty program to support vulnerability research.
  • Rather than allowing Mayer or other executives to brief the Senate Committee, Yahoo will offer a briefing from an independent committee formed by its board of directors to investigate the breaches. Chris Madsen, Yahoo’s assistant general counsel, had previously spoken with the committee, but it seems like Yahoo wants a little more distance between its employees and the Senate. Referring questions to the Board of Directors’ committee lets Yahoo offer a more unbiased account, and keeps Yahoo employees from speaking publicly before the Verizon deal is finalized.

However, unanswered questions remain about the timeline of the breaches and their disclosure to consumers.

Yahoo says it didn’t know about the 2013 breach until it was approached by law enforcement in Nov. 2016, but the company learned about the 2014 incident the same year it happened — leading to questions about why the breach wasn’t announced until two years later.

Some employees knew about the breach in “late 2014,” according to a November filing with the Securities and Exchange Commission. But Yahoo claimed in a September proxy statement that it had no knowledge of any security breaches. The discrepancy led Sen. Mark Warner to call on the SEC to investigate Yahoo.

“Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said.

Yahoo didn’t clear up the timeline in its response to questions from Thune and Moran. Here’s all that Yahoo’s vice president April Boyd had to say about it:

“On September 22, 2016, Yahoo disclosed the 2014 Incident. Following the September 22, 2016 disclosure, the company, with the assistance of outside forensic experts, continued to investigate the 2014 Incident and related matters. The company has also actively been working with U.S. law enforcement agencies on this matter.”

The independent committee formed by Yahoo’s board of directors is investigating the timeline, according to the SEC filing. A spokesperson for Thune’s office said the newly announced briefing with the board’s independent committee is not yet scheduled, but that it will be an important part of the Senate inquiry.

All of the security incidents and the surrounding fallout caused Verizon to knock $350 million off its offer for Yahoo, bringing the deal down to $4.48 billion. (Disclosure: Verizon owns AOL, which owns TechCrunch.) The deal is expected to close sometime during Q2 this year.