Yahoo has provided some new information about the two massive data breaches it was hit with in 2013 and 2014. The information was detailed in a letter to the US Senate, which was meant to be a response to an angry letter, previously sent to CEO Marissa Mayer from Senators John Thune and Jerry Moran.
In the latest letter, sent by Yahoo VP and head of global public policy April Boyd, the firm claims that it was unaware of the 2013 data breach, until it was approached by law enforcement authorities about it in November 2016. However, the tech giant revealed that it was aware of the 2014 hack the same year that it occurred, raising questions about why the details of the breach were not disclosed until 2016.
In the letter, Boyd wrote, "We understand the Committee's desire to learn more about what occurred and the steps Yahoo has taken to secure user accounts.
"Through strategic proactive detection initiatives and active response to unauthorised access to user accounts, Yahoo strives to stay ahead of these ever-evolving online threats and to keep our users and platforms secure. We continue to enhance our systems to detect and prevent unauthorised access, and to strengthen our defences against threats to security, including advanced persistent threats."
Here are the main takeaways from Yahoo's latest revelations to the Senate
How many users were affected by the breaches?
Yahoo confirmed that the 2013 hack saw over 1 billion user accounts' information accessed by hackers, while the 2014 data breach affected 500 million users, which is believed to have been the work of state-sponsored hackers. Although the tech giant is yet to attribute the 2014 incident to a specific nation, it revealed that a "majority of the user accounts" potentially affected by the 2014 breach, were also involved in the 2013 incident.
Yahoo is expanding its focus on cybersecurity – finally
Yahoo claims that in the wake of the data breaches, the firm has intensified focus on cybersecurity. The firm said that the employees now have "near-daily" meetings with the CEO, as well as an "all-hands meeting" every week with the chief information security officer (CISO) Bob Lord, in efforts to improve the firms' security.
The firm also said that it has recently hired a risk management executive to improve security. "Yahoo has formalized the role of and hired a functional leader for risk management whose chief mandate is to mature Yahoo's formal information risk management security program," the tech giant said.
The firm is also expanding its APT (advanced persistent threat) team, in efforts to boost its ability to detect and mitigate state-sponsored attacks. The firm now follows the NIST cybersecurity framework, which recommends best security practices for businesses, including taking a "kill chain" approach toward threat detection. The firm also staffed a "Red Team" that tests and attacks the firm's products and services to improve cyber defences and capabilities.
Yahoo's expanded cooperation with law enforcement
The firm confirmed that it is now working with state, federal as well as foreign government authorities on the investigation revolving around the breaches.
Senate Committee to be briefed by an independent panel of Yahoo's board of directors
Yahoo said that an "Independent Committee of the Board of Directors" that investigated the breaches, will provide a briefing to the Senate, instead of allowing Mayer or any other executive to address the matter. The move would ensure that Yahoo employees be kept from speaking publicly about the breaches, before the Verizon deal, which is expected to close in the second quarter of 2017.