Maksim Kabakou - Fotolia
Yahoo has for the first time admitted that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.
The internet firm confirmed the breach that is believed to have affected at least 500 million user accounts on 22 September 2016, claiming it first discovered the breach in August 2016, a month after the deal with Verizon.
But now, in a US Securities and Exchange Committee (SEC) filing, Yahoo has admitted that some staff knew that a state-sponsored hacker had accessed its network shortly after an attack in 2014.
“An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge [about the breach] in the company in 2014 and thereafter,” the company said in its filing.
“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security incident, created cookies that could have enabled such intruders to bypass the need for a password to access certain users’ accounts or account information.”
The Yahoo breach is believed to be the biggest publicly reported breach of its type to date, overtaking the previous record of just more than 359 million user details exposed in a 2008 breach at MySpace.
Confirmation of the breach by Yahoo led to market speculation about whether the news would scupper the deal with Verizon or at least result in a call by the telecoms group for a reduction in price.
Although Yahoo has consistently maintained that it is confident in the company’s value and is working towards integration with Verizon, the SEC filing indicates that the company admits that in a worst-case scenario, the breach could affect the acquisition deal.
The risks and uncertainties around the pending Verizon listed in the SEC filing include that: “Verizon may assert, or threaten to assert, rights or claims with respect to the stock purchase agreement as a result of facts relating to the security incident, and may seek to terminate the stock purchase agreement or renegotiate the terms of the sale transaction on that basis.”
Commentators said while this does not necessarily mean Yahoo sees this as an immediate risk, it is interesting that Yahoo has now mentioned the possibility for the first time.
Full cost still unknown
Yahoo also admitted that the full cost of the breach is still not clear. While the company said the breach cost only $1m in the third quarter of 2016 and that the incident “did not have a material adverse impact” on the quarter, it said it had subsequently incurred expenses related to remedial actions.
The company said it also expects to continue to incur investigatory, legal and other expenses associated with the breach. Yahoo said it will recognise and include these expenses as part of operating expenses as they are incurred, adding that the company does not have cyber security liability insurance.
The filing also recognises that Yahoo may also incur costs related to the 23 putative consumer-class action lawsuits that have been filed against the company in US and foreign courts.
The SEC filing has laid bare the true cost of cyber attacks, said Neil Fraser, UK manager at communications firm ViaSat.
“The real risk doesn’t necessarily come from loss of intellectual property, or damage to business operations, but rather the ongoing harm to the organisation’s reputation. The cost might not be immediately apparent, but over time – or if the business is in a sensitive period – it could easily reach billions of dollars,” he said.
The stakes are so high, said Fraser, that organisations need to treat cyber attacks not only as a threat, but as an inevitability.
“Whether an attacker is a state, state sponsored, a criminal enterprise or a single individual looking to boost their reputation, they can cause irreparable damage. In this case, an attacker who was looking to sell the stolen data for $1,800 could easily have cost Yahoo a million times that amount,” he said.
Yahoo still ‘not taken action’ needed
To reduce these consequences, Fraser said organisations need to look at a number of issues, both technical and organisational.
“Clearly this includes the security technology in use – from firewalls to antivirus to encryption of both the networks being used, but also the actual data so that any data that is stolen is essentially worthless,” he said.
A study by Venafi Labs revealed that, by September 2016, Yahoo had still not taken the necessary action to ensure users are not exposed and that the hackers do not still have access to their systems and encrypted communications.
The researchers found Yahoo was still using MD5 cryptographic hashing function for many of its digital certificates, noting that this algorithm had been known to be vulnerable for several years and suffered from many serious and well-documented vulnerabilities.
Alex Kaplunov, vice-president of engineering for Venafi, said major breaches such as the one suffered by Yahoo were often accompanied by relatively weak cryptographic controls.
In addition to security controls, Fraser said organisations also need to look at the training workers are given, and ensure they not only know how to reduce the risk of a successful attack, but how to react.
“This includes isolating and identifying the origin, taking stock of what has been stolen or affected and making sure those who have been put at risk are notified and protected as soon as possible,” he said.
In conclusion, Fraser said Yahoo’s decision not to share information about the breach earlier may prove to be costly in the long run.
“For whatever reason, it seems Yahoo has deliberately delayed sharing critical information. It is this which will have the greatest effect not only on customer trust, but ultimately its reputation,” he said.
The UK’s privacy watchdog, the Information Commissioner’s Office (ICO) is investigating the breach to understand the impact on UK citizens.
Announcing the move in September 2016, information commissioner Elizabeth Denham said the number of people affected by the breach is “staggering” and demonstrates just how severe the consequences of a security hack can be.
“There is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find,” she said.
Read more about data breaches
- Mossack Fonseca breach underlines need to focus cyber security on key data, say experts, after law firm’s founder insists the company was breached by an outside hacker
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
- Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.