Former Yahoo CEO Marissa Mayer Apologizes For Data Breach, Blames Russians

Former Yahoo chief executive officer Marissa Mayer apologized today for a pair of massive data breaches at Yahoo and blamed Russian agents on the growing number of incidents involving major U.S. companies. A reader shares a report: "As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax and a senior Verizon Communications executive. "Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data."

US needs legal liability

[EndlessNameless]

Good luck if you want to hold anyone accountable for any of this. Maybe you have the time and money to slug it out in the courts. Or years to wait for a verdict.

We have some experience with addressing this. Companies can get slapped pretty hard for violating HIPAA---either for improper disclosure or poor security. However the law was written, it is effective in making them think about security properly. A law by itself doesn't guarantee good conduct across the board, but it certainly helps when there are consequences.

If any congressman wants to extend HIPAA-level security requirements to any system that handles the personal information of American citizens, he gets my vote automatically. We should have done it 20 years ago. Better late than never.

Unless there are new rules and new consequences, nothing will change. Wallets and ballots, people.

Re:RUSSIA

[ctilsie242]

A car example of this would be someone who leaves their keys in an unlocked vehicle. First, someone from Lower Elbonia steals the car. Then, someone from Latveria. Then, someone from Cobra Island, and then someone from the Greater East Asia Co-Prosperity Sphere. Yes, one can blame these countries, but there is also the issue that anyone from anywhere could see the car keys and want to go for a ride.

There comes a point where, yes, a theft is a theft, but there needs to be some culpability in failing to secure things. At least Europe is taking steps to break the "security has no ROI" cycle with the GDPR. It is not perfect, but losing 4% of total earnings is a pretty big incentive to actually spend some on basic security design [1]. Security isn't rocket science. Good security practices have been around since the Cold War era, and OPSEC practices have been around since people started trying to kill each other in groups.

Good security can be done. It is just bothering to spend the resources to do so.

[1]: For example, it isn't hard to secure a database. I've seen a startup use transparent encryption through a HSM to ensure that an intruder isn't going to be able to dump the DB and make off with the goodies. If those guys could do it, a well-heeled company can easily implement this, plus many other defense in depth measures. To secure AD, it isn't hard to set up policies requiring 20+ characters for service accounts, and a short (3-5 minutes) lockout period for user accounts, coupled with a real time monitoring system to catch brute force attempts.