Two of the most impactful data breaches in history remain unsolved mysteries.
Yahoo’s 2013 breach that impacted all 3 billion of the company’s users remains an open case, former CEO Marissa Mayer told the Senate Commerce Committee on Wednesday, testifying alongside to the interim and former CEOs of Equifax and a senior Verizon executive. Yahoo didn’t even know of the record-setting 2013 breach until a U.S. indictment in November 2016, more than three years later.
An FBI investigation of the 2013 breach is ongoing.
This year’s Equifax breach has smaller numbers (145 million people affected) but the data stolen is extremely sensitive and may end up causing more harm than Yahoo. Like Yahoo, the interim and former CEOs of Equifax don’t know who breached their company. There are now multiple ongoing federal investigations into both the breach and the company itself, interim CEO Paulino Barros told the committee.
Yahoo’s 2014 breach, which impacted 500 million users, is attributed to Russian state-backed hackers. U.S. government officials say it’s unconnected to the 2013 breach which remains unsolved.
“As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” Mayer said. “Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users’ data.”
Yahoo was purchased by Verizon for $4.48 billion, with the purchase being discounted by $250 million as a direct result of the breach disclosure.
Mayer, forced by subpoena to testify, said defending against nation-state hackers was a monumentally difficult task and a never-ending “arms race.”
The hearing included calls by legislators including Sen. Bill Nelson, D-Fla., for the Federal Trade Commission to set national cybersecurity standards and to impose fines on companies that fail to meet them. That line of questioning led to contentious exchanges with Verizon Chief Privacy Officer Karen Zacharia about national data breach notification legislation when Zacharia said that consumers shouldn’t be notified too often when their information is stolen.
Only 30 million of the 145 million people affected by the Equifax breach have been notified, a number for which Sen. Tammy Baldwin, D-Wis., hammered the company’s representatives. Their responses included apologies to the public and a promise to develop an app allowing consumers to lock and unlock personal credit data in January.
When asked if their customers were more secure today than before the breach, Equifax’s representatives enthusiastically said yes. When posed the same question, Zacharia failed to give an answer.
Update: Added clarification distinguishing the 2013 and 2014 Yahoo breaches.