Former Yahoo CEO Marissa Mayer apologized in Senate testimony for the pair of massive data breaches that came to define the end of her tenure, as the company was being acquired by Verizon (VZ -0.7%).
Yahoo, which announced last month that a 2013 breach affected far more customers than previously thought, has doubled its security staff, helping to deflect "a barrage of attacks", Mayer said in remarks to be delivered Wednesday before the Senate Committee on Commerce, Science and Transportation. Six months earlier, Yahoo was targeted for the second time in four years in an attack that compromised more than 3 billion email accounts.
Two Russian agents are among four people charged by USA authorities with the attack on Yahoo.
Yahoo only learned about the hack last November, when U.S. law enforcement presented the company with the stolen information, Mayer said.
Mayer apologized for both breaches and said that its hard for companies to fight against state-sponsored attackers who "tend to be more sophisticated, more persistent and who attack more targets.They're very good at hiding their tracks", she said. Because of the information contained in the field, Mayer said the company was confident that the breach occurred in 2013.
Other witnesses in the hearing included interim CEO of Equifax, Paulino do Rego Barros Jr.as well as former Equifax CEO Richard Smith, in addition to Verizon Communications chief privacy officer Karen Zacharia, Entrust Datacard Corporation president and CEO Todd Wilkinson.
"We describe this as arms race, hackers become ever more sophisticated and we have to become sophisticated in turn", Mayer said.
Barros told the committee he has focused on improving customer service and revising the company's structure so that the company's chief security officer reports directly to him. Bill Nelson, D-Fla., said. Equifax's CEO said the same of a breach involving 145 mln consumers.
"To this day, we have still not been able to identify the intrusion that led to the attack".
'A single federal standard would ensure all consumers are treated the same with regard to notification of data breaches that might cause them harm, ' Thune said.