Marissa! Mayer! pulled! out! of! retirement! to! explain! Yahoo! hack! to! Senators!
Joins Equifax and Verizon execs to explain pitiful security
Poor Marissa Mayer. After selling off Yahoo! and floating away on her golden parachute, she must have been looking for a nice rest. But US Congress wanted her to explain how every single user account on the portal got hacked.
On Wednesday, she testified before the Senate Committee on Commerce, Science, and Transportation on the matter, but reportedly wasn't too keen to attend. The Hill reports that it finally took a subpoena to drag her to the hearing – an account Mayer's personal staff reject, saying Mayer had decided to take part before receiving the subpoena.
In an early morning session Mayer apologized to customers over the hacking attack. Yahoo! originally thought 500 million accounts were compromised, then raised it to a billion, before admitting last month that all three billion accounts hosted by the company had been compromised.
"As you know, Yahoo was the victim of criminal, state-sponsored attacks on its systems, resulting in the theft of certain user information," Mayer said, in a deadpan tone. "As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users."
Mayer testified that Yahoo! still doesn't know exactly how the attacks against it worked – although law enforcement claims that it does in its indictments of four people believed to be responsible. The attacks took place in August 2013 but Yahoo! only realized it had been hacked when police showed the company files that had been stolen from its servers.
Senator Bill Nelson (D-FL) said that he'd been in similar hearings in the past and asked Mayer if it was even possible to protect data against attack. She said that there was little anyone could do about a state-sponsored attack. Nelson wasn't keen on that response.
Next up, Equifax
The former CEO of Equifax, Richard Smith, didn’t escape a grilling. In past testimony before Congress, Smith blamed a single technician for not installing a critical patch in Apache Struts and an automated network scan that failed to detect the flaw. Committee chairman Senator John Thune (R-SC) was skeptical about the response.
Smith claimed that Equifax had upgraded its scanning technology to catch future flaws but continued to blame the lone technician and the faults of open source software. Paulino de Rego Barros, Smith's successor, said the firm had hired PWC to do a "top-down review" of the IT infrastructure and stronger policies are now in place, including encrypting its data (duh) and two-factor authentication.
Senator Brian Schatz (D-HI) was even more brutal. He pointed out to Smith that when Yahoo! screwed up, its customers could move but not in the case of the credit reference agency, giving it "zero incentive" to improve. He also pointed out that Lifelock, the service that checks for identity fraud, actually generated money for the errant company because it subcontracts to Equifax. He also questioned the attendee's personal rewards system.
"People back home cannot understand how the CEO of Equifax and the CEO of Yahoo! walked away with $90m, or $27m, or possibly a quarter of a billion dollars in stocks – this is unfathomable to the average person," he said.
"They don't understand, Mr Smith, you harm consumers and you walk away with the amount of money that a small city or county uses for their annual operating budget. It's not fair and it's why this dais has an obligation to make a law and not just drag you back and forth and wave our fingers at you." ?