Yahoo is full of surprises as of late. Just last week, the company revealed that they had a massive data breach in 2014 – a situation made more scandalous because it was the media, not the company responsible, that spilled the beans. The scandal then grew larger when it was revealed that Yahoo had been sitting on the knowledge for at least one month. And then the New York Times reported that Yahoo had decided not to invest in the necessary IT security that could have stopped the breach from happening.
Promise Less, Deliver More is for Good Stuff Only
When Yahoo confirmed the media’s reports, they noted that at least 500 million accounts had been affected and that the stolen information could have included security Q&As, birthdates, and phone numbers – the type of data that has taken on increased importance as people forget passwords due to the continued proliferation of sites and services on the internet. Passwords and URLs may change, but your mother’s maiden name and your first pet generally don’t. (Sure, you could fudge your mother’s last name in your security questions, but then you run into the same problem you had with the password: you won’t be able to remember it. Not much of a backup strategy).
A problem with the revelation: there are rumors that affected accounts are actually closer to 1 billion). Technically, this also falls under the definition of “at least 500 million” but I can see how lawmakers, politicians, and the media would have a field day with this. Why not say it was at least 1 million? Or more than 1? These are also technically true.
This is definitely a situation were you want to overshoot your numbers, in a sense promising more and delivering less as the investigation concludes.
State Sponsored or Not?
Also, Yahoo reported their suspicions that a foreign state had been involved only to have their words countered by security professionals who claim it was hackers-for-hire. This counterargument, however, is possibly suspect as well. (Plus, in defense of Yahoo, where’s the rule that forbids state actors from hiring independent contractors? Under such a scenario, it’s still ultimately state-sponsored).
The problem, regardless, is that Yahoo has already had a previous run-in with a state-sponsored hack in 2010. It seems they should have been prepared for a repeat; Yahoo may not be as high flying as in the early aughts, but it’s still a huge target.
Lagging Security Investments
It was also revealed later on that Yahoo had actively blocked attempts to upgrade computer security. Granted, it was because Yahoo has been in an unenviable position financially, and so capital was diverted to where it would make more of an impact on the bottom line. Of course, in hindsight, that turned out not so well.
This, incidentally, bears notes of the TJX data breach in 2007, which was billed as the largest such incident as of then. Back then, like now, the company heads decided to forego critical updates to their data security despite knowing they were long overdue.
Much has been made of Yahoo sitting for one month or so on the fact that they suffered a data breach. While I haven’t been updating myself on data breach notification laws as of late, I’m pretty sure that all states give companies at least one month to go public about a security breach (assuming such laws exist. About three or four states still lack such a law). Even if that’s not the case, the notification can be delayed if an investigation is taking place (which it is. The FBI is looking into the matter).
As such, if Yahoo truly did stumble upon the incident about one month ago, then it should be OK; arguably, it should still be OK if it it’s been longer. If not, it would mean that Yahoo would be facing 40+ separate investigations by each state that has a data protection and breach notification law on its books.
Plus, let us not forget that the US population currently rests at 320 million or so. A person could have multiple accounts with Yahoo but the converse is true as well: Americans who’ve never signed up with Yahoo. With over 500 million accounts breached (and possibly up to 1 billion), it feels very possible that accounts of non-Americans must have been breached as well. Will the legal arms of foreign countries jump into the fray? It’s a possibility; they certainly haven’t been shy in the past.
When you are a global company in every sense of the word, and your reach extends to individuals in every corner of the planet, not paying attention to security matters, or even actively choosing to ignore them, is not an option. You already have a target on your back. That one would compound the situation by making it easier to hit simply boggles the mind.
Related Articles and Sites: