Today, September 22, 2016, internet giant Yahoo announced a data breach that exposed the information of over 500 million of its users. The breach, announced by CEO Melissa Meyer, involved the breach of Yahoo servers exposing user names, email addresses, telephone numbers, birthdates and, in many cases, unencrypted security questions related to password recovery. A hacker, going by the online moniker of “Peace,” announced in early August that he or she had accessed Yahoo servers and was offering the database containing user information for sale on the dark web for three bitcoins, or approximately $1,800 at today’s rates.
The timing of this hack could not be worse for Yahoo, as it is in the middle of talks with Verizon for the sale of Yahoo’s core businesses, a deal that could surpass $4.8 billion.
A history of Peace
Peace is well known for hacks of very large internet companies. In 2012, Peace was responsible for the hacking of LinkedIn and subsequent sale of user account information of 117 million LinkedIn user accounts. Earlier this year, Peace also announced a hack of social-network-turned-music sharing network MySpace involving 360 million user records, including 111 million usernames and over 427 million passwords (MySpace had retained old passwords for some user accounts). In each case, Peace placed the data up for sale on the dark web using Tor-based websites, for various amounts of the popular and hard-to-track cryptocurrency, bitcoin.
As members of the Thompson Coburn Cybersecurity team regularly tell clients and attendees at conferences, “it’s not if you have to deal with a data breach, but when.” The hacking industry has become sophisticated to the point that companies must assume that at some point unauthorized individuals will gain access to their servers. Encryption can protect data not only when it is moved from place to place, but also while it is stored on company servers and computers. Developments in encryption technology such as salting and hashing the encryption key for a data set can make it even more difficult for an unauthorized user to view accessed data.
These hacks have all further exposed the tendency for users to, despite a decade of warnings, use weak passwords, making the access of our data easy for hackers like Peace (these hacks, amongst others, have revealed the use of passwords by users, such as “12345,” “password,” and “qwerty,” among other infamous combinations). A weak password can entirely undermine an otherwise formidable cybersecurity system, and such passwords are often the initial vector by which hackers gain entry to a computer system.
Plan ahead: Gathering Information early is key to a good response
Finally, these incidents have reiterated the need for companies to preemptively create and test their breach-response program. Companies must know, before the inevitable breach occurs, the steps that must be taken in order to respond appropriately to a breach. A “Breach Response Plan” should be created with the assistance and participation of company leadership, general counsel, IT leadership and outside cybersecurity counsel. A good breach response plan incorporates a response protocol that puts the company on a solid foundation for dealing with the breach both internally and publically. A strong and immediate response has two important benefits:
- Gathering information: It’s critical to quickly ascertain what information was breached and how it was accessed. With this information, a company can begin to understand the extent of the breach, which users or clients have been impacted, and what steps to take to seal the flaw in company security that led to the breach in the first place. By planning ahead, the collection of this information is more efficient and completed in less time — resulting in significantly lower costs.
- Mitigating risk:For large and small breaches alike, impacted customers and users will be understandably upset. In their eyes, a breach is a failure on the part of the company to protect personal information. As a result, a company’s response will often dictate how impacted customers and users will react. Presenting a strong response can have a significant impact on reducing the risk of litigation or even government investigations. Strong responses often include early indications that the company has an understanding of what happened and details about the extent of the breach. They also place a strong focus on taking care of and protecting impacted users.
Preparing for and responding to a data breach is a complex task, and requires knowledge of the various state requirements for protecting customer information and responding in the case of an incident.