July 3, 2019

Let’s get smarter about cyber.

This blog is to educate you about data breaches. We provide you the who, what, when, why and how about regulation, operational, legal and financial (ROLF) impacts.

Yahoo: The bigger they are, the harder they fall.

Yahoo was the 8th most popular web services provider in the world prior to acquisition by Verizon Media. Yahoo was founded in January 1994 and was one of the initial leaders of the early Internet era in the 1990s with revenues of $5.17 billion and almost 9,000 employees.

In 2016, Yahoo announced that in 2013 they suffered a Russian attack on their network that impacted one billion accounts. Three months before that, the company also disclosed a separate attack, which had occurred in 2014, that had affected 500 million accounts. The impact was to crown jewel assets including user id’s and passwords that were encrypted poorly and easy to crack. In addition, they obtained security questions and backup email addresses used to reset passwords. The Yahoo data breach is the largest data breach in history.

Spear-phishing emails were sent to a Yahoo employees and employees clicked on the link and malware was downloaded and installed on the Yahoo network. Once on the network, the hackers began reconnaissance for the crown jewel digital assets that included Yahoo’s user database and the account management tool used to edit the database of user data. Hackers then established a backdoor on a Yahoo server so that they could come and go as they liked. The database contained customer names, phone numbers, password challenge questions/answers, password recovery emails and a unique cryptographic value for each account. Cryptographic values were then used to generate access cookies through a script that had been installed on a Yahoo server. Those cookies were generated many times and gave the hackers free access to a user’s email account without the need for a password.

Yahoo ignored the warning signs. Critical web service providers including Yahoo and Google were penetrated in 2010. Google took it seriously and hired more security engineers and invested heavily in security infrastructure. Yahoo made some minimal control additions.

Yahoo’s focus was to develop and grow new products and update Yahoo’s email features. Yahoo focused on adding infrastructure for product growth and all but ignored the threat. They used poor encryption with passwords that were hashed with MD5 (deprecated by most companies) and did not encrypt the security questions.

Yahoo was fined $35 million by the SEC for failing to disclose their known data breaches. $80 million in federal securities class action lawsuits were settled by Yahoo in March 2018. This was another first. Yahoo Stock dropped by 3%, and it lost $1.3 billion in market cap after it disclosed the 2014 breach. Yahoo reached a settlement of $117.5 million for nearly 200 million people who had sensitive information stolen as a result of the data breach.

After Yahoo disclosed the data breach to Verizon in 2014, days before the ink was to be dry on the Verizon acquisition, the brakes were put on and Yahoo agreed to reduce the purchase price by $350 million (a 7.25% reduction in price) and agreed to share liabilities and expenses relating to the breaches going forward. Yahoo has disclosed security incident expenses of $16 million ($5 million for forensics and $11 million for lawyers). Shareholder legal actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. The SEC officials noted that Yahoo left “its investors totally in the dark about a massive data breach” for two years, and that “public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” Regulators are now laying the foundation for ramped-up enforcement actions with real penalties.

Lessons learned include – having meaningful commitment from the top of an organization towards cybersecurity, and not ignoring when there is a pink elephant in the living room. Non-disclosure and ignoring the law are also high on the list. Not only were they negligent in protecting the digital assets of their shareholders, they didn’t even have basic security controls in place (eg. automatic reset of all user passwords).

Reputationally Yahoo has lost consumer and corporate trust. Yahoo’s CEO didn’t receive an annual bonus and Yahoo’s general counsel resigned after the SEC found Yahoo’s legal team had sufficient information for a further investigation but did nothing. The SEC has called on Yahoo senior executives who knew about the breaches well before disclosure. Yahoo did not have cybersecurity liability insurance and therefore, paid $16 million for security incident expenses.

On Nov, 2016, 23 lawsuits related to the 2014 breach were filed, including case amendments that included the August 2013 breach. Shareholder derivative actions remain pending in state courts, as well as consumer data breach class actions. A class-action lawsuit was filed against Yahoo in NY state on behalf of all affected US residents, stating that Yahoo failed to provide adequate protection of its users’ personal and confidential information.

In total the financial impact was over $12 billion.