Yahoo takes $350m cut on deal with Verizon after security breaches

Ending months of speculation, Verizon has announced a revised deal for acquiring Yahoo’s core business that is $350m less than the original due to revelations of two major data breaches

Yahoo has reportedly accepted a $350m reduction on the original $4.83bn sale to Verizon due to its significant cyber security breaches.

The deal was signed in July 2016, but subsequent revelations of data breaches in 2013 and 2014 affecting one billion and 500 million accounts, and more recently of hackers forging cookies to gain access to customer accounts, led to speculation that offer would be reduced or even withdrawn.

In November 2016, in a US Securities and Exchange Committee (SEC) filing, Yahoo admitted for the first time that some staff knew that a state-sponsored hacker had accessed its network shortly after an attack in 2014, that the true cost of the breach was still unknown, and that the breach could affect its deal with Verizon.

After months of speculation, Verizon has confirmed that it is now buying the core Yahoo business for around $4.48bn, according to the BBC. The deal is now expected to close in the second quarter of 2017.

Under the new deal, Yahoo and Verizon will split the cost of government investigations and third-party litigation related to the data breaches, but Yahoo alone will be responsible for any liabilities arising from shareholder lawsuits and Securities and Exchange Commission (SEC) investigations.

Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach, according to the Financial Times.

Once the acquisition is complete, Verizon plans to combine Yahoo’s search, email, messenger and advertising technology with the assets from its AOL acquisition in 2015 for $4.4bn.

Commenting on the Verizon deal in 2016, Yahoo chief executive Marissa Mayer said it would provide opportunities for Yahoo to build further distribution and accelerate its work in mobile, video, native advertising and social.

“The amended terms of the agreement provide a fair and favourable outcome for shareholders,” said Marni Walden, Verizon executive-vice president, said in a statement.

“It provides protections for both sides and delivers a clear path to close the transaction in the second quarter,” she said.

Cyber attacks could seriously affect M&A discussions

If cyber security was not already a priority agenda item across boardrooms, the news of the revised deal will resonate with key stakeholders in many organisations, according to Rob Norris, ‎head of enterprise and cyber security for Europe, Middle East, India and Africa at Fujitsu.

“The European Union’s GDPR [General Data Protection Regulation] has already established cyber security and breach readiness as topics requiring serious attention from business executives, due to the eye-watering fines of €20m or 4% of global annual turnover for non-compliance. However, today’s news shows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions,” he said.

Fujitsu predicts that in 2017, organisations will start taking a closer look at cyber security in their supply chain, as cyber attacks have the potential to affect a business’ financial accounts.

“The damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, but huge ICO fines coupled with real damage to a company valuation will ensure that cyber security related issues become an even higher priority,” said Norris.

Gunter Ollmann, chief security officer at Vectra Networks, said Yahoo has demonstrated that many businesses that lack transparency and willingness to discuss security matters in an honest and open way will see significant impact on the bottom line, market value and reputation.

Read more about Yahoo

“The revised deal highlights that security is a strategic issue and needs to be included as part of any M&A [mergers and acquisitions] due diligence. Likewise, cyber attacks offer the opportunity for motivated external parties to damage M&A target organisation’s reputation and thus market value,” he said.

Ollmann predicts that the GDPR – and its requirement for appropriate security controls, breach notification and punitive sanctions for non-compliance – will be a driver of increased transparency, and hopefully improved security posture.

“There is another assumption that if the breached organisation is sufficiently instrumented that they can not only detect a breach, but that they’re able to track the attacker’s activities and enumerate precisely what data they had access to,” he said.

“But most organisations aren’t sophisticated enough to identify this level of threat activity. If you can’t detect it, there is no way to prove you were breached. In fact, gaining real-time visibility into hidden attacks can enable an organisation to spot the pre-cursor behaviours of breach and foil the attack earlier in its lifecycle and avoiding a reportable data breach,” he added.

Read more on Privacy and data protection