Former Yahoo CEO apologizes for data breach, blames Russians

By David Shepardson

WASHINGTON (Reuters) - Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for a pair of massive data breaches at the internet company, blaming Russian agents, at a hearing on the growing number of cyber attacks involving major U.S. companies.

"As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users," she told the Senate Commerce Committee, testifying alongside the interim and former CEOs of Equifax Inc and a senior Verizon Communications Inc executive.

"Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data."

Verizon, the largest U.S. wireless operator, acquired most of Yahoo Inc's assets in June, the same month Mayer stepped down. Verizon disclosed last month that a 2013 Yahoo data breach affected all 3 billion of its accounts, compared with an estimate of more than 1 billion disclosed in December.

In March, federal prosecutors charged two Russian intelligence agents and two hackers with masterminding a 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber crimes.

Those charges came amid controversy relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of President Donald Trump. Russia has denied trying to influence the U.S. election in any way.

Special Agent Jack Bennett of the FBI's San Francisco Division said in March the 2013 breach was unrelated and that an investigation of the larger incident was continuing.

Senator John Thune, a Republican who chairs the Commerce Committee, asked Mayer on Wednesday why it took three years to identify the data breach or properly gauge its size.

Mayer said Yahoo has not been able to identify how the 2013 intrusion occurred and that the company did not learn of the incident until the U.S. government presented data to Yahoo in November 2016. She said even "robust" defenses are not enough to defend against state-sponsored attacks and compared the fight with hackers to an "arms race."

Yahoo required users to change passwords and took new steps to make data more secure, Mayer said.

"We now know that Russian intelligence officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo's systems," Mayer said.

The current and former chief executives of credit bureau Equifax, which disclosed in September that a data breach affected as many as 145.5 million U.S. consumers, said they did not know who was responsible.

Senator Bill Nelson said "only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information."

The Senate Commerce Committee took the unusual step of subpoenaing Mayer to testify on Oct. 25 after a representative for Mayer declined multiple requests for her voluntarily testimony. A representative for Mayer said on Tuesday she was appearing voluntarily.

(Reporting by David Shepardson; Editing by Susan Thomas)