The hits keep on coming for Yahoo—though this time, its chief executive has sidestepped the chopping block.
On Wednesday, the company revealed the results of its independent investigation into what was the largest security breach in history—and that its general counsel was taking the fall for it.
News broke in September 2016 that more than 500 million user accounts were compromised. In December 2016, the company increased its estimate, revealing that more than 1 billion accounts had been affected.
What’s striking is that the hack took place in 2013.
Senior executives, company lawyers and information security staff were aware of the hack in 2014 and also knew about subsequent attempts to break into the affected accounts in 2015 and 2016, but failed to “properly comprehend or investigate” the situation, the company’s board of directors said in a securities filing on Wednesday.
The board “did not conclude that there was an intentional suppression of relevant information.”
Because of the investigation’s findings, CEO Marissa Mayer did not receive her cash bonus for 2016—and she is voluntarily giving up this year’s bonus and equity grants.
Reporters estimate the value of Mayer’s forfeited bonuses and equity grants to be roughly $14 million.
Mayer has an annual “target bonus” of $2 million, double her annual salary. The actual amount paid depends on her performance and that of the firm. The amount that she would have received for 2016 had not yet been approved by the firm’s compensation committee, a person close to the situation said.
Her annual equity grant is determined by the board, but it’s no less than $12 million a year in restricted stock and stock options.
Mayer’s hit wasn’t nearly as heavy as the other result of Yahoo’s investigation: Its general counsel, Ronald Bell, resigned from the company.
The New York Times reported:
Mr. Bell, a longtime lawyer at Yahoo, appears to be taking the blame for the company’s security failures. Yahoo said he resigned on Wednesday and would receive no payments in connection with his departure. The company’s chief information security officer at the time of the 2014 breach, Alex Stamos, left for Facebook in 2015 after repeated battles with Ms. Mayer over security priorities.
Yahoo said that 43 consumer class-action lawsuits related to the breaches have been filed against the company in federal, state and foreign courts. It also faces a stockholder class-action suit.
On Wednesday, Mayer posted the following statement on her personal Tumblr:
As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.
Though Mayer appeared to be taking the blame for the incident, she and the company were criticized for Bell’s departure.
… Yahoo’s head lawyer, Ron Bell, got bounced for not doing his job, said the company, which noted that the “Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”
So when is the lawyer the one who gets dinged for hacking screw-ups? Never. Let’s be clear, most people inside Yahoo think Mayer and the board should have shouldered the bulk of the blame for the breach.
The reaction to the announcement by Yahoo on social media was swift and decidedly anti-Mayer and pro-Bell, with comments coming from those who have worked with him and also, interestingly, at least one general counsel at another company.
Recode’s Kara Swisher wrote that Mayer’s bonus cuts were the “corporate equivalent of a minor speeding ticket.”
Mayer keeping her position at the helm of Yahoo seems to be the company’s attempt to move past the crisis as quickly as possible.
The security breach has already cost it roughly $16 million in direct costs, according to The New York Times, and it’s also cost the company hundreds of millions in its pending sale to Verizon.
The New York Times reported:
Last week, the companies announced that they had renegotiated the deal because of the breaches, shaving $350 million from the price, and they hope to close the transaction by the end of June.
Though the investigation didn’t find that Mayer or other Yahoo leaders were guilty of hiding the information, the results—including making its lawyer the fall guy—are another blow to the company’s tarnished reputation.