Marissa! Mayer! pulled! out! of! retirement! to! explain! Yahoo! hack! to! Senators!

Joins Equifax and Verizon execs to explain pitiful security

Poor Marissa Mayer. After selling off Yahoo! and floating away on her golden parachute, she must have been looking for a nice rest. But US Congress wanted her to explain how every single user account on the portal got hacked.

On Wednesday, she testified before the Senate Committee on Commerce, Science, and Transportation on the matter, but reportedly wasn't too keen to attend. The Hill reports that it finally took a subpoena to drag her to the hearing – an account Mayer's personal staff reject, saying Mayer had decided to take part before receiving the subpoena.

In an early morning session Mayer apologized to customers over the hacking attack. Yahoo! originally thought 500 million accounts were compromised, then raised it to a billion, before admitting last month that all three billion accounts hosted by the company had been compromised.

"As you know, Yahoo was the victim of criminal, state-sponsored attacks on its systems, resulting in the theft of certain user information," Mayer said, in a deadpan tone. "As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users."

Mayer testified that Yahoo! still doesn't know exactly how the attacks against it worked – although law enforcement claims that it does in its indictments of four people believed to be responsible. The attacks took place in August 2013 but Yahoo! only realized it had been hacked when police showed the company files that had been stolen from its servers.

Senator Bill Nelson (D-FL) said that he'd been in similar hearings in the past and asked Mayer if it was even possible to protect data against attack. She said that there was little anyone could do about a state-sponsored attack. Nelson wasn't keen on that response.

Next up, Equifax

The former CEO of Equifax, Richard Smith, didn’t escape a grilling. In past testimony before Congress, Smith blamed a single technician for not installing a critical patch in Apache Struts and an automated network scan that failed to detect the flaw. Committee chairman Senator John Thune (R-SC) was skeptical about the response.

Smith claimed that Equifax had upgraded its scanning technology to catch future flaws but continued to blame the lone technician and the faults of open source software. Paulino de Rego Barros, Smith's successor, said the firm had hired PWC to do a "top-down review" of the IT infrastructure and stronger policies are now in place, including encrypting its data (duh) and two-factor authentication.

Senator Brian Schatz (D-HI) was even more brutal. He pointed out to Smith that when Yahoo! screwed up, its customers could move but not in the case of the credit reference agency, giving it "zero incentive" to improve. He also pointed out that Lifelock, the service that checks for identity fraud, actually generated money for the errant company because it subcontracts to Equifax. He also questioned the attendee's personal rewards system.

"People back home cannot understand how the CEO of Equifax and the CEO of Yahoo! walked away with $90m, or $27m, or possibly a quarter of a billion dollars in stocks – this is unfathomable to the average person," he said.

"They don't understand, Mr Smith, you harm consumers and you walk away with the amount of money that a small city or county uses for their annual operating budget. It's not fair and it's why this dais has an obligation to make a law and not just drag you back and forth and wave our fingers at you." ®

Similar topics

Other stories you might like

  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading

Biting the hand that feeds IT © 1998–2021