Last month, Yahoo revealed that all of its approximately three billion accounts were affected by the 2013 data breach. Apologizing for the attacks, former CEO Marissa Mayer stated, “we worked hard over the years to earn our users’ trust. As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users.”
A Senate Commerce Committee spokesperson confirmed on Tuesday, November 7 that the Committee had subpoenaed Mayer to testify in a hearing concerning the data breaches. After multiple opportunities to testify voluntarily and even after being threatened with legal action, Mayer agreed to testify after the Committee’s top Democrat, Sen. Bill Nelson (D-Fla.) supported the Committee Chairman John Thune’s (R-S.D.) move to subpoena Mayer. Appearing along with Mayer is a Verizon representative, as well as Equifax’s interim CEO Pualino do Rego Barros and its former CEO, Richard Smith.
In her testimony before the Committee, Mayer apologized and noted the breadth of the information stolen. Mayer noted, “we roughly doubled our internal security staff and made significant investments in its leadership and the team.” Filling Yahoo with top security specialists and adopting comprehensive information security programs, Mayer assured the Committee that Yahoo had the systems and personnel in place to thoroughly monitor for and protect against data breaches. Mayer concluded by mentioning the difficulty in protecting against state-sponsored attacks, and the aggressive pursuit the DOJ and the FBI, along with Yahoo, are taking to prevent such attacks.
The Yahoo data breach was revealed to have been a state-sponsored attack by Russian individuals. Two Russian intelligence agents were indicted in connection with the attack of 500 million Yahoo accounts, and are considered some of the most dangerous agents in the world. Several senators asked those before the Committee whether there should be a financial incentive for companies to prevent against hacks and have systems in place to notify consumers. Senators also asked why consumers do not own their own data or have an ability to opt out. Connecticut Democratic Sen. Richard Bluemthal struck a harsh tone, stating, “under current law, even some of the most egregious examples of lax security can be met only with apologies and promises to do better next time. Not fines, or other penalties, or real deterrents. The real deterrent will come when those penalties are imposed on executives like the ones before us today.”
In an exchange with Senator Bill Nelson, Mayer admitted that Yahoo was not protected against a state actor such as Russia. When asked what it was doing to ensure Yahoo’s protection, Verizon said it “long believed” legislation specific to data security and data breach is necessary, and that it is open to collaborating with senators to draft such legislation. With skepticism, Nelson agreed but communicated that “It’s going to take an attitude change among companies such as yours,” adding that they [Yahoo, Verizon, Equifax] must go to “extreme limits” to protect customers’ privacy.