clock menu more-arrow no yes

Yahoo’s head lawyer is taking the fall for its hacking, while CEO Marissa Mayer is getting her pay docked

The blame for the massive breach falls on Ron Bell and not where it belongs — at the top.

Fortune Global Forum - Day 2
Yahoo’s apparently blameless CEO, Marissa Mayer.
Kimberly White / Getty Images

Yahoo’s CEO Marissa Mayer has gotten her pay docked — giving up a cash bonus from 2016 and a stock award for 2017, which seems to be worth about $14 million — for the massive breach of the internet giant’s customer database.

Recode first broke the news of the incursion, which has impacted hundreds of millions of users of the service, revealing all kinds of sensitive information.

But, said an independent committee, Mayer did not mean to run such a loose security ship, noting, it “did not conclude that there was an intentional suppression of relevant information.”

Still, Yahoo’s head lawyer, Ron Bell, got bounced for not doing his job, said the company, which noted that the “Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.”

So when is the lawyer the one who gets dinged for hacking screw-ups? Never. Let’s be clear, most people inside Yahoo think Mayer and the board should have shouldered the bulk of the blame for the breach.

The reaction to the announcement by Yahoo on social media was swift and decidedly anti-Mayer and pro-Bell, with comments coming from those who have worked with him and also, interestingly, at least one general counsel at another company.

That would be Twitter’s chief legal officer Vijaya Gadde:

And also former Yahoo exec Scott Moore:

They’re right. Multiple sources close to the situation said how Yahoo handled things as it became aware of the breaches — there was more than one — was less clear cut than the determination in today filing. In fact, several major security execs left during this period. That included Yahoo’s chief information security officer Alex Stamos, who went to Facebook in mid-2015 after clashes with Mayer over a number of issues related to security, said sources.

None of that pertinent information was in Yahoo’s 10-K regulatory filing today, which unveiled the actions on the security incidents.

Among the key points, said the company:

Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016.

In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool.

The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement.

While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.

The Independent Committee did not conclude that there was an intentional suppression of relevant information.

Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.

Might I translate that for you into English? Alrighty then: The management screwed up and left users vulnerable for years to incursions by malicious state-sponsored hackers.

Yahoo said Mayer had her 2016 cash bonus taken away and then offered to give up her equity in 2017. It appears to be $2 million in bonus and up to $12 million in stock, which Yahoo did not volunteer, but it is the corporate equivalent of a minor speeding ticket.

In a post on Tumblr, Mayer said she had "expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016." Given Yahoo has about 8,500 full-time employees now, that comes to about $235 a person.

Not for Bell, though, who did worse, apparently, by losing his job. Yahoo said he had resigned, but not without a few public smacks upside the head. The company said that “no payments are being made to Mr. Bell in connection with his resignation.”

Let me translate the Yahoo-speak again for you, since I happen to speak it fluently: He is the scapegoat, the fall guy, the one who has to suck it up for Mayer.

One good thing is that this news clears the way for the $4.8 billion acquisition of Yahoo, which has already seen a $350 million discount for the breach. It is not clear if Mayer will get the huge payout she is owed on the sale or if she will voluntarily or otherwise give it up.

Here’s the statement from Mayer, which might have been nicer if it included a my-bad-so-sorry-oops:

As those who follow Yahoo know, in late 2014, we were the victim of a state-sponsored attack and reported it to law enforcement as well as to the 26 users that we understood were impacted. When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies. However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.


This article originally appeared on Recode.net.

Sign up for the newsletter The Weeds

Understand how policy impacts people. Delivered Fridays.