Security Breach Costs Yahoo CEO Millions

Yahoo’s (NASDAQ:YHOO) chief executive, Marissa Mayer, has lost her 2016 bonus as a result of the 2014 theft of information from more than 500 million Yahoo accounts. Ms. Mayer said in her statement that she was unaware of the breach until September 2016. She also wrote in the statement, “However, I am the C.E.O. of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year.”

Ms. Mayer’s employment agreement shows that her base salary is $1 million a year, her annual stock award is to be no less than $12 million a year, and her annual target bonus is $2 million a year. The statement also says that she will give up her 2017 equity compensation in connection with the incident. Yahoo first disclosed the hack to the public in September of last year.

The company’s board of directors said in a securities filing that Yahoo’s leadership failed to “properly comprehend or investigate” the situation. An investigation by the board revealed that senior executives, company lawyers and information security staff were aware of the hack in 2014. In that breach, hackers used stolen information to forge “cookies” that could be used to access millions of Yahoo accounts without using passwords. It was also found that they knew about later attempts to break into the affected accounts that occurred in 2015 and 2016.

The company’s filing said it had concluded its investigation into the matter. It did not name any individuals as being responsible for Yahoo’s security breach. The filing did say that the board “did not conclude that there was an intentional suppression of relevant information.” The company’s failure to uncover a separate theft of the account information of one billion users that occurred in 2013 was not addressed in the filing.

Yahoo’s top lawyer, Ronald S. Bell, has resigned from the company, apparently in connection with the security breaches. A statement from the company said that he would receive no payments in connection with his departure. So far, the company has incurred $16 million in direct costs related to the breaches.

To date, 43 consumer class-action lawsuits have been filed against the company in federal, state and foreign courts over the breaches. A stockholder class-action suit has also been filed against the company. The company said that it is cooperating with the investigations against it and has revised its procedures for responding to cyber-security incidents to prevent such an occurrence from happening again.