The former CEO of Yahoo, Marissa Mayer, may have envisioned spending her post-Yahoo days relaxing, playing with her $23 million in severance compensation, experimenting with other search engines or looking for a new company to helm.
Instead, she gets to sit in a Senate hot seat alongside Richard Smith, the forcibly "retired" former CEO of Equifax, and answer data breach questions over what she knew, when she knew it and how she might have better handled her company's breach response (see Yahoo CEO Loses Bonus Over Security Lapses).
"Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity [and] there should be consequences if they fail to do so."
Both are set to testify Wednesday before a Senate committee investigating how to respond to the seemingly unending spate of major data breaches resulting in so many consumers' personal details being compromised (see After Mega-Breach at Equifax, CEO Richard Smith Is Out).
After the Senate committee last month asked Mayer to testify, however, she reportedly declined, committee aides told the Wall Street Journal, leading to a rare move by the Senate to issue a subpoena compelling her to testify. The committee couldn't be immediately reached for comment.
A representative for Mayer told the Wall Street Journal that she wasn't the best person to talk about Yahoo's most recent breach disclosures - covering continuing investigations into breaches that occurred during her tenure - but says Mayer agreed to voluntarily testify after learning that a representative from Verizon was also on the witness list.
Verizon purchased Yahoo in June for $4.5 billion and has since combined its AOL business with various Yahoo properties into a new subsidiary named Oath. Mayer was passed over to serve as CEO of Oath but still walked away with over $250 million after the deal closed, based in large part on the value of her Yahoo stock holdings.
Senate Talks Consumer Protection
The Wednesday "Protecting Consumers in the Era of Major Data Breaches" hearing by the Senate Committee on Commerce, Science, and Transportation is scheduled to open with its chairman, Sen. John Thune, R-S.D., calling on companies to sharpen their cybersecurity practices.
The committee says it plans to interrogate Mayer and Smith about the cybersecurity practices they had in place at their organizations as well as how they responded to the loss of "personal consumer data to nefarious actors."
"Companies that collect and store personal data on American citizens must step up to provide adequate cybersecurity [and] there should be consequences if they fail to do so," Thune is expected to say, according to an excerpt of his prepared remarks, reports the Wall Street Journal.
Karen Zacharia, chief privacy officer of Verizon, and Paulino do Rego Barros Jr., the interim CEO of Equifax, are also due to testify, as is Todd Wilkinson, president and CEO of identity management security software vendor Entrust Datacard.
Breach News Worsens
Data breach news continues to be bleak. Equifax's breach, which it first publicly disclosed on Sept. 7, exposed personal data for 145.5 million U.S. individuals as well as credit card numbers for 209,000 U.S. consumers. The breach also exposed documents related to credit disputes that 182,000 U.S. consumers had filed with the company, and affected British and Canadian consumers too.
Revelations over the full impact of Yahoo's breaches, meanwhile, has worsened following Mayer wrapping the company's sale to Verizon in June. By then, unfolding breach revelations had already led to Verizon securing a $350 million discount on Yahoo's original asking price. The terms of the deal also require Yahoo to absorb all costs stemming from shareholder lawsuits and U.S. Securities and Exchange Commission investigations.
Last month, Yahoo said that "new intelligence" gathered by third-party digital forensic experts who have been working with the search giant found that its entire user base, totaling 3 billion accounts, was compromised by a data breach in August 2013. Yahoo only discovered that breach because it had been investigating another one.
The revised tally of 3 billion breached accounts is triple Yahoo's December 2016 estimate of 1 billion breached accounts.
But there are not actually 3 billion breach victims, says Sean Sullivan, a security adviser at Finnish security firm F-Secure. Based on information that has been released by Yahoo, he believes that the search giant has an active population of 500 million legitimate users and that the other 2.5 billion are part of a "dead pool" of no-longer-used accounts created by legitimate users as well as a significant number of fraudster-generated accounts. Sullivan tells me that "lots of them [were] spawned by spammers years ago most probably."
Without a doubt, the scale and pace of old and new breaches being discovered continues to worsen.
But with Mayer and Smith set to appear in the Senate hot seat over two of the worst known data breaches in history, it's important to remember that Congress has failed to ever pass any law designed to safeguard data breach victims. In addition, the Republican leadership has signaled that it feels no new consumer-protection laws are necessary.
Until that changes, while the Senate might make Mayer and Smith sweat, hearings such as this one amount to little more than political theater (see Cynic's Guide to the Equifax Breach: Nothing Will Change).