The Record-Breaking Yahoo Cyber-Security Breach: A Reasonable Disclosure or A Calculated Cover-up?

cyber-security

By: Kaley Duncan,

Cyber-security is a growing concern worldwide.[1] Continued increase in information sharing via the internet has left this information susceptible to hacker exploitation.[2] The motive for many cyber-attacks is to sell information gained to sites that use that information for identity theft. [3] If you are like me, your passwords are not only less than creative, but are also likely used for multiple accounts. As such, if your security information has been compromised, the effects can be far-reaching; it could affect not only information from your recent email correspondences, but possibly more important information, such as your bank account number and social security number.[4] Big companies, and even the government, have been looking for ways to combat these hacks.[5] So far in 2016, nineteen companies including Target, Walmart, Snapchat, and the IRS have been targeted by hacking schemes. [6] Recently, another prominent name has been added to the list.

On Thursday, September 22nd, the email platform Yahoo confirmed that 500 million of its user accounts had been hacked.[7] This is the largest security breach on record.[8] Stolen information included emails, passwords, birth dates, telephone numbers, and, in some cases, even security questions.[9] To make matters worse, Yahoo informed the public that these hacks started in 2012 and were just recently discovered by the company’s security team.[10]

Multiple lawsuits have been filed including a class action alleging gross negligence.[11] The suit, filed by New York resident Ronald Shwartz, contends Yahoo’s security team knew of the breach long before they disclosed it to the public.[12] Thus far, it is unclear when exactly Yahoo personnel were made aware of the 2012 security breach, but many sources state the company was alerted to the security issues in the Summer of 2016.[13] Yahoo claims to have conducted security sweeps since 2012, including one on September 9th, 2016, that led it to believe there was no reason for concern.[14]

Yahoo CEO Marissa Mayor, has released little information regarding the controversy. However, from what little she has commented, the company seems to believe this was a state-sponsored hack.[15] A state-sponsored hack is a cyber-security attack conducted by a foreign government.[16] “Yahoo has been stingy with the facts, but that may be at the request of U.S. law enforcement or the intelligence community,” said Leo Taddeo, a former special agent in charge of the FBI’s New York cyber-crime office, in an interview with The Washington Post.[17] “If, in fact there are signs of a state actor, the authorities would definitely prefer to keep the details out of public domain. Otherwise, the hackers may get tipped off to the U.S. government’s sources and capabilities.”[18]

Others wonder if the new merger with Verizon had something to do with Yahoo’s reluctance to release information on the breaches to the public. Verizon is currently on track to acquire Yahoo for $4.8 billion, a figure that may be affected by the hack.[19] In fact, a study done by Ponemon Institute found that the average cost to remediate data per user is approximately $158.[20] According to those statistics, upwards of $70 billion would be required to mitigate the cost of this size cyber-security breach. Not surprisingly, this will likely affect the company’s worth.[21]

Senator Mark Warner, a Democrat from Virginia and cofounder of the Senate Cyber-Security Caucus, is suspicious of Yahoo’s failure to disclose information that is of such “vital importance” “to keep the public and investors informed” and voiced his concerns in a letter to the U.S. Securities and Exchange Commission.[22] Currently there is no federal law requiring the prompt disclosure of security breaches of this nature.[23] “[The] seriousness of this breach at Yahoo is huge,” said Warner in a statement made Thursday afternoon.[24] Recent security breaches, namely those affecting Target and Yahoo, have compelled Warner to promote legislation protecting consumers.[25] In fact, Warner is “working on bipartisan legislation to create a comprehensive, nationwide, and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information.” [26] Most states have already enacted statutes requiring disclosure to consumers.[27]

For example, pursuant to Virginia Code §18.2-186.6(B):

If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay.[28]

While the phrase “without unreasonable delay” is largely left up to interpretation, according to the Ponemon Institute report, the average amount of time required to discover a malicious security breach is roughly 229 days. [29] If Yahoo personnel have been forthcoming with their investigation, it took them nearly two years to discover this major security breach, three times the suggested average. [30] One cannot help but speculate, was this really a reasonable delay in disclosure or a calculated cover-up? As new facts emerge the motive may be revealed, but until then the public is left with concerns about Yahoo’s transparency.

 

[1] See generally Phenom Institute, 2016 Cost of Data Breach Study: Global Analysis, at 1 (2016), http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN (analyzing statistics of cyber data breaches worldwide).

[2] See Ali Hedayati, An Analysis of Identity Theft: Motives, Related Frauds, Techniques, and Prevention, 4 J. of L. & Conflict Resol. 1, 2–3 (2012), http://www.academicjournals.org/article/article1379859409_Hedayati.pdf

[3] See id at 10.

[4] See id at 4.

[5] See Riley Walters, Cyber Attacks on U.S. Companies Since November 2014, Heritage.org, http://www.heritage.org/research/reports/2015/11/cyber-attacks-on-us-companies-since-november-2014 (last visited October 3, 2016).

[6] See Judy Leary, The Biggest Data Breaches in 2016, So Far, Identity Force Blog, https://www.identityforce.com/blog/2016-data-breaches

[7] See Kif Leswing, Yahoo Confirms Major Breach – and it Could be the Largest Hack of All Time, Business Insider (Sept. 22, 2016), http://www.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9

[8] http://www.mercurynews.com/2016/09/23/yahoo-hit-with-class-action-lawsuit-over-massive-data-breach/

[9] See Nicole Perlroth, Yahoo Says Hackers Stole Data on 500 Million Users in 2014, N.Y. Times (Sept. 22, 2016), http://www.nytimes.com/2016/09/23/technology/yahoo-hackers.html?_r=0

[10] See id.

[11] See Reuters, Yahoo is Sued for Gross Negligence Over Huge Hacking, Fortune (Sept. 23, 2016), http://fortune.com/2016/09/23/yahoo-is-sued-for-gross-negligence-over-huge-hacking/

[12] See id.

[13] See Hayley Tsukayama, Data Breach: What Yahoo Knew When Could Cause it Trouble, Union-Bulletin.com, http://www.union-bulletin.com/news/business/data-breach-what-yahoo-knew-when-could-cause-it-trouble/article_0e099de4-880a-11e6-ba24-cff074054d7e.html (last visited October 3, 2016).

[14] See Paul Szoldra, Yahoo Won’t Answer the Most Important Question About its Massive Hack, Business Insider (Sept. 28, 2016), http://www.businessinsider.com/yahoo-massive-hack-2016-9

[15] See Account Security Issue FAQs, Yahoo.com, https://help.yahoo.com/kb/account/SLN27925.html?impressions=true (last visited October 1, 2016).

[16] See Timour Rashed, State Sponsored Hacking and Cyber Security Policy, Tim Tech Support Blog (Apr. 18, 2012), http://timourrashed.com/state-sponsored-hacking-and-cyber-security-policy/

[17] See Hayley Tsukayama, Could Yahoo be in Trouble with the SEC?, The Washington Post (Sept. 28, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/09/28/could-yahoo-be-in-trouble-with-the-sec/

[18] Id.

[19] See Perlroth, supra note 9.

[20] See Phenom Institute Report, supra note 1 at 1.

[21] See Leswing, supra note 7.

[22] See Senator Warner Calls on SEC to Investigate Disclosure of Yahoo Breach, Mark R. Warner Blog (Sept. 26, 2016, 12:15 PM), http://www.warner.senate.gov/public/index.cfm/bloghome; See also Letter from Mark R. Warner, U.S. Senator, to The Honorable Mary Jo White, U.S. SEC Chair (Sept. 26, 2016) (https://www.scribd.com/document/325367178/20160926-Letter-to-SEC-on-Yahoo-Breach).

[23] See Perlroth, supra note 9.

[24] See Mark R. Warner Blog, supra note 22.

[25] See id.

[26] Id.

[27] Nat’l Conf. of State Legislatures: Security Breach Notification Laws, (Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

[28] Va. Code Ann. § 18.2-186.6 (2016).

[29] See Ponemon Institute Report, supra note 1 at 3.

[30] See Perlroth supra note 9.

Photo Source:

http://www.infrastructure-intelligence.com/sites/default/files/field/image/cyber-security.jpg

Comments are closed