Yahoo’s troubles for failing to timely disclose security breaches provides rare insight into quantifying the financial and other costs to a company’s shareholders and leadership when a security breach occurs and is mishandled.
In 2014, more than a billion Yahoo accounts were hacked. Then in 2015 and 2016, more than 500,000 Yahoo user accounts were hacked by the same attacker. In all cases, hackers accessed user emails and sensitive information. However, it is alleged that Yahoo failed to thoroughly investigate the breaches. Yahoo also failed to disclose the breaches until late 2016, when it was in talks to sell the company’s core assets to Verizon.
Yahoo’s executive team denied having knowledge of the breaches prior to the disclosure. However, on March 1, 2017, Yahoo disclosed its independent investigation results and stated that Yahoo’s IT staff had “contemporaneous knowledge” of the 2014, 2015, and 2016 incidents. While finding there was no intent to suppress the breaches, the investigation concluded Yahoo’s IT team and legal staff did not properly comprehend or investigate them.
The SEC was examining whether the breaches were hidden from Yahoo customers and shareholders, but it is not clear whether anything will come of this investigation. Yahoo shareholders demanded that the company claw back a portion of CEO’s Marissa Mayer’s compensation, claiming she had to have known but covered up the breaches to avoid derailing a sale of the struggling company.
Ultimately, in late February 2017, Verizon agreed to move ahead with its purchase, but renegotiated the purchase price down by $350 million to a new price of $4.48 billion. This week, it was also disclosed that senior executives managing Yahoo at the time of the breaches would face consequences. Yahoo’s legal counsel was forced out. CEO Mayer said she voluntarily gave up her 2016 annual cash bonus and 2017 stock award, which together are worth about $14 million.