Yahoo is apparently punishing CEO Marissa Mayer by withholding her 2016 bonus and any stock awards for this year as her management team is found to have mishandled two massive security breaches that affected personal information of over 1 billion users.
In an internal investigation disclosed on Wednesday, Yahoo said the company's security team found that a state-backed hacker compromised user accounts in 2014, but some senior executives "properly comprehend or investigate, and therefore failed to act sufficiently upon." Yahoo also said the company notified only 26 people that their accounts had been hacked.
"In response to the Independent Committee's findings related to the 2014 Security Incident, the Board determined not to award to the Chief Executive Officer a cash bonus for 2016 that was otherwise expected to be paid to her. In addition, in discussions with the Board, the Chief Executive Officer offered to forgo any 2017 annual equity award given that the 2014 Security Incident occurred during her tenure and the Board accepted her offer," Yahoo said in a filing submitted to the US Securities and Exchange Commission (SEC).
Mayer also took to Tumblr to say that she had agreed to give up her annual bonus. Here's what she wrote in her note:
As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company's hardworking employees, who contributed so much to Yahoo's success in 2016.
In its report, Yahoo also admitted that outside investigators identified approximately 32 million user accounts for which "forged cookies" were used in 2015 and 2016. The company also said some of the forgeries are connected to the same state-sponsored attacks in 2014.
Yahoo disclosed the 2014 data breach in September last year, saying that about 500 million user accounts were compromised. In December, the company disclosed yet another hacking attack in which nearly 1 billion user accounts were breached in August 2013.
The US SEC launched a probe in January to determine whether Yahoo should have reported the hacking attacks earlier to its investors.
The filing also highlighted the failure of the legal team and said that the company's General Counsel Ronald Bell was resigning with immediate effect without any payment in connection with his departure.
"Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident," Yahoo said in the filing.