Politics

Senator Grills Yahoo Exec On How The Company Still Hasn’t Figured Out Why It Was Hacked

Republican Sen. John Thune of South Dakota grilled ex-Yahoo CEO Marissa Mayer during a hearing Wednesday on why it took so long for the company to realize it was being hacked, and subsequently notify the public.

Thune, who chairs the Senate Committee on Commerce, Science and Transportation holding the executive session, did not understand how Yahoo’s cybersecurity infrastructure could be so weak.

“Ms. Mayer, in your opening statement you describe the significant investments that Yahoo made under your leadership with respect to its internal security,” said Thune. “Nevertheless, despite these investments, the company apparently failed to detect the 2013 breach, which was the largest breach in the history of the internet, for more than three years.”

“And even after the 2013 breach became apparent, Yahoo significantly underestimated the number of accounts implicated by billions,” Thune continued, before getting to what he calls an “obvious question.” “With such a strong security team in place, how did Yahoo fail to recognize that all three billion of its user accounts had been compromised, and why did it take more than three years to discover and disclose the breach?”

Mayer opened her response by saying that “at Yahoo, we deeply value our users security,” alleging that it certainly “invested heavily in that security.” (RELATED: Marissa Mayer Is About To Get Paid Nine Figures For Overseeing Yahoo’s Demise)

But current and former executives have begged to differ.

Yahoo Senior Vice President Jeff Bonforte said Alex Stamos — the former chief information security officer who is now at Facebook working in a highly similar role — adamantly advocated for end-to-end encryption for all services, according to a New York Times report that showed a stark divide amongst the higher-ups. This cybersecurity feature would permit only the people involved in the conversation (not even Yahoo) to be able to see the communications.

Many employees told TheNYT that Mayer denied Stamos funding and resources to implement security defense, like intrusion-detection technology. She allegedly prioritized keeping the conglomerate and its services up-to-date by creating new features, among other similar initiatives. Stamos led the cybersecurity team known internally as the “Paranoids,” before members, including himself, were ultimately poached by competitors like Apple, Facebook and Google.

A representative for Yahoo told The Daily Caller News Foundation around the time TheNYT report was published that such accusations from insiders were not true, and it had a formidable cybersecurity system — much like Mayer is still purporting.

“To this day we, as I understand it, still have not been able to identify the intrusion that led to that theft,” Mayer continued in her response to Thune. “Which is to say we’ve received files from law enforcement that contained Yahoo data, and we verified that it came from Yahoo, we don’t exactly understand how the act was perpetrated.”

Thune apparently wasn’t satisfied with her answer, and asked once again, why there was such an extensive delay in disclosing it, while also adding the question of how it could also undercount by such a large amount.

“Yahoo did not know of the intrusion in 2013; we learned of the intrusion by files that were presented to us in November of 2016,” Mayer answered, while elaborating that they urgently responded “in a very short period of time” once that occurred.

Mayer declined to add more details, saying she was not allowed to since she is no longer with Yahoo, which is now owned by Verizon.

The hearing, titled “Protecting Consumers in the Era of Major Data Breaches,” also included testimony and questioning from and to executives of Verizon, as well as Equifax — a company recently rolling from poor cybersecurity, and ensuing missteps. (RELATED: The IRS Was Planning On Paying Equifax $7.5 Million To Protect Taxpayers’ Identities Even After Massive Breach Was Disclosed)

Like Yahoo, Equifax also originally underreported the amount of people affected by a wide-scale breach of their systems. This is Congress’s second opportunity to pepper the executives of Equifax with questions, after the former CEO was called to testify earlier in October and received intense questioning.

Follow Eric on Twitter

Send tips to [email protected].

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected].