[BreachExchange] Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches

[Audrey McNeil]

https://www.databreachtoday.com/former-yahoo-ceo-stronger-
defense-couldnt-stop-breaches-a-10442

The former CEO of Yahoo, which had 3 billion records exposed in a 2013 data
breach and another 500,000 in a separate 2014 breach, testified at a Senate
hearing that it's tough for any corporation to defend against cyberattacks
backed by nation-states.

"Even robust defenses and prosecutors aren't sufficient to protect against
the state-sponsored attack, especially when they're extremely sophisticated
and persistent," Marissa Mayer testified.

Last month, Yahoo reported its entire user base of 3 billion accounts was
compromised in an August 2013 data breach. While the breach had been
previously disclosed, the count of victims is triple Yahoo's December 2016
estimate that 1 billion accounts were compromised (see Yahoo: 3 Billion
Accounts Breached in 2013).

Meyer stepped down as CEO of Yahoo earlier this year when Verizon
Communications bought the social media company in June for $4.5 billion.

Senator Reacts

In response to Mayer's comment, Sen. Bill Nelson, the Florida Democrat and
ranking member of the Senate Commerce, Science and Transportation
Committee, which held the hearing, said: "That's an admission you are not
protected against state actors," prompting the senator to ask what Yahoo is
doing about it.

A top executive at Yahoo's new owner, Verizon Communications Chief Privacy
Officer Karen Zacharia, said that companies such as hers must adopt
technologies and processes to improve security as the threat rapidly
evolves. She also said business and government must work together to tackle
this problem, including working to enact a national data breach
notification law.

Zacharia's answer didn't quite satisfy Nelson. "That's a good intention,
but it's going to take more," Nelson said. "It's going to take an attitude
change among companies such as yours that we've got to go to extreme limits
to protect our customers' privacy."

A few minutes later, Sen. Roger Wicker, R-Miss., asked all of those
testifying, including the interim and former CEOs of Equifax, Paulino de
Rego Barros Jr. and Richard Smith, as well as Entrust Datacard CEO Todd
Wilkinson, if they took issue with Nelson's contention that a "mere
company" cannot withstand persistent attacks from state-backed hackers
without the help of the National Security Agency. The executives remained
mute.

Reluctant Witness

Mayer was a reluctant witness. After reportedly declining a request to
testify, the panel issued a subpoena to compel her to appear (see Life
After Yahoo: Mayer Forced to Testify Before Senate).

Mayer told the committee that Yahoo learned of a state-sponsored attack on
its system in late 2014, and promptly reported it to law enforcement and
notified users who were impacted by the hack.

"We now know that Russian intelligence officers and state-sponsored hackers
were responsible for highly complex and sophisticated attacks on Yahoo's
systems," she said, based on the March 15 indictment charging four
individuals in connection with the 2014 hack (see Russian Spies, Two
Others, Indicted in Yahoo Hack). So far, no nation-state connection to the
much larger 2013 breach has been revealed.

Mayer told the committee that Yahoo fell victim to the breaches despite
devoting substantial resources to security in an attempt to stay ahead of
sophisticated and constantly evolving threats.

During her tenure as CEO, she said, Yahoo roughly doubled its internal
security staff and made significant investments in its leadership and team.
Among those hired, she said: security specialists focused on threat
investigations, e-crimes, product security, risk management and offensive
engineering. The company adopted a comprehensive information security
program designed to enhance its policies, procedures and controls based on
the National Institute of Standards and Technology's cybersecurity
framework, she said.

Shrouded in Mystery

Those remarks prompted Committee Chairman John Thune, R-S.D., to ask Mayer
why, despite these investments, Yahoo failed to detect the massive 2013
breach for three years. Mayer answered that such attacks are complex and
persistent and the understanding of the facts behind them evolve over time.
Indeed, the former CEO said, much of the facts behind the breaches remain
shrouded in mystery.

To this day, she said, security experts have been unable to identify the
specific intrusions that led to the breaches: "We don't exactly understand
how the act was perpetrated."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171109/1fbe9736/attachment.html>