Yahoo’s board has decided that CEO Marissa Mayer will not receive her annual bonus this year, a decision linked to Yahoo’s handling of the 2014 security breach that exposed data from 500 million user accounts. Mayer volunteered to forgo her annual equity grant as well and has asked that the money be redistributed to Yahoo’s employees.
Mayer discussed the decision on Tumblr, the blogging platform Yahoo acquired in 2013. “I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016,” Mayer wrote.
Yahoo’s board has also concluded the independent investigation it was conducting into the massive security breaches that occurred in 2013 and 2014, and it’s laying the blame for the delayed disclosure of the 2014 breach with Yahoo general counsel Ron Bell.
Bell resigned from Yahoo today and will not receive severance, according to Yahoo’s 10-K filing. Bell has worked at Yahoo since 1999 and was promoted to general counsel in 2012.
The results of the investigation finally answer some of the lingering questions about the 2014 breach and why it took so long for Yahoo to announce the hack to users. Yahoo’s security team discovered the hack in late 2014 and informed “relevant legal staff,” according to the board. However, the team apparently thought the hack was limited to only 26 accounts and did not investigate further.
Yahoo’s security team was aware in Dec. 2014 that user database backup files were stolen, but the board’s independent investigators said it was unclear whether the security team communicated this information to anyone else. Still, investigators said Bell’s legal team had enough information about the breach to demand a more thorough investigation — but his team did not do so.
“As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident. The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident,” Yahoo’s filing states.
Mayer claims she didn’t learn that the breach extended far beyond 26 accounts until Sept. 2016. Yahoo announced the hack to the public on Sept. 22, 2016, and disclosed the 2013 hack of over one billion accounts on Dec. 14, 2016.
Yahoo has faced questions about its handling of the two breaches and its subsequent disclosures to users from the Senate. The board’s independent investigative committee is expected to brief senators on the timeline of the breaches.
The security incidents pushed Verizon to cut $350 million off its offer to buy Yahoo. The acquisition is expected to close in Q2 of this year. (Disclosure: Verizon owns AOL, which owns TechCrunch.) The breaches cost Yahoo even more money, according to its filing — Yahoo spent $16 million in 2016 cleaning up after the incidents.
Five million was spent on the independent forensic investigation, conducted by Mandiant and Stroz Friedberg. The additional $11 million went to legal costs. But despite that spend, Yahoo says the breaches made no material impact on its business. The company currently faces 43 consumer class action lawsuits and several stockholder class actions related to the incidents.