2016 was the Year of the Data Breach for Yahoo, as it announced three separate and significant data breaches. Although the consequences of these breaches are still unfolding, the financial cost to Yahoo is already significant – in 2017, Verizon slashed the price of its deal to buy Yahoo by US$350 million. The hack hangover is now set to worsen, with a US judge ruling in August this year that Yahoo will face litigation by data breach victims.
Between 2013 and 2016 Yahoo suffered a number of data breaches that are now thought to have affected billions of users. In all three breaches, the categories of user data compromised included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. No payment or bank account information is believed to have been accessed.1
- August 2013 breach: In December 2016, Yahoo initially announced that user data from 1 billion users was compromised as a result of a cyber attack that occurred in August 2013. Yahoo has now tripled this figure, and believes that this security breach affected all 3 billion of its users. The hackers used 'forged cookies'2 to access user accounts without a password by misidentifying anyone using them as the owner of the email account. Yahoo only became aware of the attack in November 2016 when the Chief Intelligence Officer of InforArmor spotted one billion Yahoo accounts for $300,000 in a private sale on the dark web, while he was tracking an Eastern European hacker group.
- Late 2014 breach: In September 2016, Yahoo admitted that data from at least 500 million user accounts had been stolen from the company's network in late 2014 by a state-sponsored actor. The information exposed in this leak was similar to the 2013 leak.3 It's not clear why, but although this breach occurred after the 2013 breach, Yahoo publicised it first.
- 2015-16 breach: In March 2017, Yahoo disclosed that another 32 million user accounts were accessed by intruders in the previous two years again using forged cookies. Yahoo said that some of the latest intrusions were connected to the same state-sponsored actor thought to be responsible for the 2014 breach.
The effects of the Yahoo breaches are still unfolding but to date the breach has impacted Yahoo in the following ways:
- Reputation damage: Being the largest known breach of user data to date, Yahoo's reputation has suffered significantly. In addition, Yahoo was heavily criticised for the amount of time (two years) that it took for them to identify and disclose the breach. In 2016, the average time it took organisations to identify data breaches was approximately 191 days.4
- Financial costs: Following the breach, Verizon made amendments to the terms of its agreement to purchase Yahoo and slashed the price of the deal by US$350 million. The two companies also agreed to share some of the legal and regulatory liabilities that arise from particular Yahoo data breaches (although it's not clear if this covers all three of the breaches announced in 2016).5
- Regulatory investigations: Yahoo is facing scrutiny from the Securities and Exchange Commission (SEC), the Federal Trade Commission, the US Attorney's Office and a number of State Attorneys General. The SEC's investigation is expected to look at Yahoo's disclosures to investors about the breach and, in particular, whether they should have occurred earlier.
- Criminal convictions: In March 2017, the US Department of Justice charged two officers of the Russian Federal Security Service and two hackers in connection with the second breach in late 2014.
- Legal costs: Yahoo is facing nationwide litigation in the US including a consolidated class action complaint in which a judge recently refused Yahoo's motion to have the claim dismissed on the basis that the plaintiffs could not show how the breaches harmed them. The US District Judge ruled that Yahoo users could pursue the claims based on allegations of heightened identity theft risk and loss of value of their personal information. The claims that have been allowed to continue are for breach of contract, breach of the covenant of good faith and fair dealing and other violations of Californian law. Initially, the class action covered four classes: the United States class, an Israel class, a small business users class and a class representing consumers from Australia, Venezuela and Spain. The judge dismissed the Australian, Venezuelan and Spanish plaintiffs due to forum selection clauses holding that certain foreign laws apply and that claims can only be brought in those foreign courts. We have not seen any actions brought separately in Australia. Yahoo is also facing a separate class action in Canada.6
- Tread carefully and consider your PR strategy. As we've seen time and again, an inadequate response to a data breach can do more damage to a company's reputation than the breach itself. Failing to notify promptly, a clunky customer experience or misreported information can be damaging. In Yahoo's case, its failure to disclose the data breaches promptly, its haphazard approach and the drip-feeding of information about the breaches attracted criticism and gave the impression that Yahoo was both unprepared and withholding information.
- Implement a data breach response plan: As Verizon's CEO put it, 'it's not a question of if you're going to get hacked – it's when you're going to get hacked'.7 Each organisation should have a data breach response plan in place to facilitate a quick response in a breach situation. As the Yahoo example demonstrates, there are significant regulatory costs and negative publicity that arise from delayed incident responses and risk management failures. For more on how to prepare a data breach response plan see our Cyber Security Tip Sheet.
- Don't forget about detection. Although prevention is paramount when it comes to cyber threats, it's important not to forget about monitoring your network and the software and procedures you have in place to detect unusual activity. A data breach response plan can do no work until the data breach is detected. This might include monitoring for unusual data flows at the back end of your systems and also for unusual customer or account activity. As the Yahoo breaches demonstrate, the longer a data breach goes undetected the more disastrous the impact for businesses and, potentially, the affected individuals.
- Bob Lord (Chief Information Security Officer of Yahoo), Important Security Information for Yahoo Users, December 14 2016.
- A cookie is code that stays in a user's browser cache so that a website doesn't require a login with each visit.
- Yahoo, Yahoo Security Notice, September 22 2016.
- Ponemon Institute, 2017 Cost of a Data Breach Study, 2017.
- Verizon Press Release, Verizon and Yahoo amend terms of definitive agreement, February 21 2017.
- Yahoo Class Action.
- Business Insider, Verizon CEO says the report that he wants a $1 billion discount on hacked Yahoo is pure 'speculation', October 11 2016.