Marissa Mayer may not win any prizes for CEO of the year, but the Yahoo top boss is a class act.
Mayer announced her plan to redistribute her annual bonus and equity stock grant to Yahoo employees in a brief Tumblr post. She says the move was warranted because two major data breaches, affecting more than 1.5 billion Yahoo accounts, happened on her watch. Yahoo admitted last September to a 2014 data breach impacting 500 million user accounts, and then, in December, to a 2013 hack affecting one billion accounts.
“As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted,” the post reads. “When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
The company’s Wednesday SEC filing outlines the decision to revoke Mayer’s bonus was a decision of the company’s board, but the decision to give up the equity was Mayer’s. The filing does not state a dollar amount for either the bonus or stock grant but, in 2015, she had a shot at a $2 million bonus and up to $40 million in stock awards.
Also as part of the fall out, the filing indicates Yahoo’s general counsel Ronald Bell resigned.
The SEC filing also details how the hackers who got their hands on Yahoo’s code created cookies to access 32 million accounts through 2015 and 2016.
“In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” the filing reads. “Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the company so they cannot be used to access user accounts.”
The filing goes on to recount the findings of the independent committee investigating the incidents.
“Based on its investigation, the independent committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016,” the filing reads. “In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team.”
Despite the ongoing fallout over the two massive breaches, Yahoo was able to finalize the sale price of its Internet division late last month by slashing $350 million from the original $4.83-billion figure. Now valued at approximately $4.48 billion in cash, the deal is expected to close in the second quarter of 2017.
The companies will share some of the legal and regulatory liabilities arising from the hacks, the firms announced in a joint press release. While the companies will equally split any cash liabilities arising from government investigations and third-party litigation related to the breaches, liabilities arising from shareholder lawsuits and SEC investigations will be the sole responsibility of Yahoo.