Internet search giant Yahoo!Inc. (“Yahoo”) revealed last year that it was the victim of two massive data breaches back in 2013 and 2014 that potentially affected more than 1.5 billion users. Investigations into the incidents continue to reveal potentially damning information regarding what the company knew and when, how the company responded to the breaches, and the status of Yahoo’s information security at the time of the breaches. The details that have emerged paint the picture of a company that failed to adhere to basic data security requirements. Unfortunately, the technology company will likely become a case-study in what happens when an organization fails to follow security best practices.
• Yahoo did not stay up-to-date on current technology and failed to employ adequate security measures
It appears that in 2013, when the first data breach occurred, Yahoo was still using a discredited technology for data encryption known as MD5. The weaknesses of MD5 had been known by security experts and hackers for more than a decade and public warnings had been issued advising that MD5 was “unsuitable for future use.” When Yahoo finally decided to begin using better technology, it was too late – hackers were able to steal the poorly encrypted passwords and other information.
One of the basic tenets of data security is the need to stay abreast of technological developments and maintain satisfactory security controls. If Yahoo had employed stronger and more secure technology sooner, the hackers would have had greater difficulty accessing customer accounts.
• Yahoo did not make security a company priority
Reports indicate that when Yahoo’s security team requested new tools and features to strengthen Yahoo’s security, they were turned down because Yahoo was concerned such requests were too costly or complicated. Reports also indicate that even when Yahoo was growing, the company did not see security as important. According to Yahoo, executives are now more involved in the company’s cybersecurity and a risk management executive has been hired to focus on security. However, this executive-level involvement is, once again, too little, too late.
A fundamental principle of data security is that security must be a company priority from the board of directors on down. If the board had been involved in security-related matters, if Yahoo had held executives responsible for security compliance, and if Yahoo had increased budgets for security initiatives, the company might not be in its current predicament.
• Yahoo did not fully investigate when it first suspected a breach
In its Form 10-Q filed with the SEC in November 2016, after publicly announcing the massive 2013 and 2014 data breaches, Yahoo acknowledged that it may have known about the 2014 breach earlier. Yahoo explained in the filing that the company had identified “access to the company’s network by a state-sponsored actor” in late 2014.
Accordingly, it appears that Yahoo was aware of a data breach in 2014, but failed to fully investigate at the time. While it is unclear whether the company did not have proper policies and procedures in place, or whether its policies and procedures were not properly followed, it is clear that Yahoo should have done more in 2014 when it first became aware of an intrusion on its network.
• Yahoo may have failed to provide timely notification of the breaches
As noted above, Yahoo employees were aware of a security breach in 2014 – two years before Yahoo revealed the data breaches to affected customers. To date, Yahoo has not explained why it took the company two years to publicly disclose the 2014 incident and who made the decision not to go public with this information sooner.
It remains to be seen whether the breach, as understood by Yahoo executives back in 2014, was large enough to require public notification at the time. Yahoo has established an independent committee to investigate what company officials knew in 2014. Law enforcement officials, including various state attorneys general and the U.S. Attorney’s office for the Southern District of New York, are conducting investigations. Additionally, the FTC and SEC are looking into the breaches.
• Yahoo does not have cybersecurity insurance
Yahoo also revealed in its November 2016 Form 10-Q that the company does not carry cybersecurity insurance. As of January 2017, Yahoo has spent more than $10 million investigating and remediating the two data breaches. That figure is likely to increase as the company defends itself against numerous lawsuits stemming from the breaches.
Cybersecurity insurance is an increasingly common way for companies to protect themselves against inevitable security incidents. It is surprising that a technology company of Yahoo’s size and sophistication did not have such insurance (and Yahoo is now likely regretting its decision to forgo insurance).
In July 2016, before Yahoo publicly revealed the 2013 and 2014 breaches, Verizon reached a deal to acquire Yahoo for $4.8 billion. While the deal was thrown into doubt after Yahoo’s breach revelations, the two companies maintain that the deal will be completed. However, closing of the sale has been pushed back and the deal has been reduced by $350 million. The companies may announce further changes to the deal as investigations continue.