By David Shepardson
WASHINGTON (Reuters) – Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for two massive data breaches at the internet company, blaming Russian agents for at least one of them, at a hearing on the growing number of cyber attacks on major U.S. companies.
“As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users,” she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax Inc <EFX.N> and a senior Verizon Communications Inc <VZ.N> executive.
“Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users’ data.”
Verizon, the largest U.S. wireless operator, acquired most of Yahoo Inc’s assets in June, the same month Mayer stepped down. Verizon disclosed last month that a 2013 Yahoo data breach affected all 3 billion of its accounts, compared with an estimate of more than 1 billion disclosed in December.
In March, federal prosecutors charged two Russian intelligence agents and two hackers with masterminding a 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber crimes.
Those charges came amid controversy relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of President Donald Trump. Russia has denied trying to influence the U.S. election in any way.
Special Agent Jack Bennett of the FBI’s San Francisco Division said in March the 2013 breach was unrelated and that an investigation of the larger incident was continuing. Mayer later said under questioning that she did not know if Russians were responsible for the 2013 breach, but earlier spoke of state-sponsored attacks.
Senator John Thune, a Republican who chairs the Commerce Committee, asked Mayer on Wednesday why it took three years to identify the data breach or properly gauge its size.
Mayer said Yahoo has not been able to identify how the 2013 intrusion occurred and that the company did not learn of the incident until the U.S. government presented data to Yahoo in November 2016. She said even “robust” defenses are not enough to defend against state-sponsored attacks and compared the fight with hackers to an “arms race.”
Yahoo required users to change passwords and took new steps to make data more secure, Mayer said.
“We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo’s systems,” Mayer said. She said “really aggressive” pursuit of hackers was needed to discourage the efforts, and that even the most well-defended companies “could fall victim to these crimes.”
The current and former chief executives of credit bureau Equifax, which disclosed in September that a data breach affected as many as 145.5 million U.S. consumers, said they did not know who was responsible for the attack.
Senator Bill Nelson said “only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information.”
Thune told reporters after the hearing the Equifax data breach had created “additional momentum” for Congress to approve legislation. He said Mayer’s testimony was “important in shaping our future reactions.”
The Senate Commerce Committee took the unusual step of subpoenaing Mayer to testify on Oct. 25 after a representative for Mayer declined multiple requests for her voluntarily testimony. A representative for Mayer said on Tuesday she was appearing voluntarily.
(Reporting by David Shepardson; Editing by Susan Thomas)