Yahoo completes hack review, says some executives 'did not properly comprehend'
Yahoo (YHOO) stated in its 10-K annual filing: "As previously disclosed, an independent committee of the board has investigated the security incidents... The independent committee has concluded its investigation, although it will continue to review developments regarding the security incidents and report to the board... Based on its investigation, the committee concluded that the company's information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the company's account management tool. The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company's information security team. Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the independent committee did not conclude that there was an intentional suppression of relevant information. Nonetheless, the committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 security incident was not properly investigated and analyzed at the time, and the company was not adequately advised with respect to the legal and business risks." Yahoo has agreed to be acquired by Verizon (VZ). YHOO VZ