Marissa Mayer forgoes bonus and equity in wake of Yahoo security incidents

Yahoo’s board has decided that CEO Marissa Mayer will not receive her annual bonus this year, a decision linked to Yahoo’s handling of the 2014 security breach that exposed data from 500 million user accounts. Mayer volunteered to forgo her annual equity grant, as well, and has asked that the money be redistributed to Yahoo’s employees.

Mayer discussed the decision on Tumblr, the blogging platform Yahoo acquired in 2013. “I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016,” Mayer wrote.

Yahoo’s board has also concluded the independent investigation it was conducting into the massive security breaches that occurred in 2013 and 2014, and it’s laying the blame for the delayed disclosure of the 2014 breach with Yahoo general counsel Ron Bell.

Bell resigned from Yahoo today and will not receive severance, according to Yahoo’s 10-K filing. Bell had worked at Yahoo since 1999 and was promoted to general counsel in 2012.

“He has served this company longer than the founders. His experience and expertise and oversight in terms of the company and shareholders has been stellar,” Marcy Simon, a spokesperson for Bell, told TechCrunch. “This was an opportunity for him to submit his resignation and look forward to the next journey and chapter in his life.” Simon also pushed back against rumors of a feud between Bell and Mayer, saying that Bell has great respect for Yahoo’s chief executive.

The results of the investigation finally answer some of the lingering questions about the 2014 breach and why it took so long for Yahoo to announce the hack to users. Yahoo’s security team discovered the hack in late 2014 and informed “relevant legal staff,” according to the board. However, the team apparently thought the hack was limited to only 26 accounts and did not investigate further.

Yahoo’s security team was aware in December 2014 that user database backup files were stolen, but the board’s independent investigators said it was unclear whether the security team communicated this information to anyone else. Still, investigators said Bell’s legal team had enough information about the breach to demand a more thorough investigation — but his team did not do so.

“As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident,” Yahoo’s filing states.

Mayer claims she didn’t learn that the breach extended far beyond 26 accounts until September 2016. Yahoo announced the hack to the public on September 22, 2016, and disclosed the 2013 hack of more than one billion accounts on December 14, 2016.

Yahoo has faced questions from the Senate about its handling of the two breaches and its subsequent disclosures to users. The board’s independent investigative committee is expected to brief senators on the timeline of the breaches. 

The filing also shed new light on a more recent security lapse involving unauthorized account access via cookie forging; since the activity was disclosed, experts hired by the company have “identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016… We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident.” That actor also accessed proprietary code in order to successfully forge the cookies, though the extent of that unauthorized access is not detailed.

The security incidents pushed Verizon to cut $350 million off its offer to buy Yahoo. The acquisition is expected to close in Q2 of this year. (Disclosure: Verizon owns AOL, which owns TechCrunch.) The breaches cost Yahoo even more money, according to its filing — Yahoo spent $16 million in 2016 cleaning up after the incidents.

Five million was spent on the independent forensic investigation, conducted by Mandiant and Stroz Friedberg. The additional $11 million went to legal costs. But despite that spend, Yahoo says the breaches made no material impact on its business. The company currently faces 43 consumer class action lawsuits and several stockholder class actions related to the incidents.

Yahoo’s incident cleanup includes the recent hiring of a risk management executive and the revision of its technical and legal response protocols for security incidents. The new protocols will require the board of directors and senior executives to be briefed on cybersecurity incidents and will set disclosure timelines so that the public becomes aware of breaches more quickly.