In 2012, 2013 and 2014 Yahoo suffered several data breaches that affected the account information of, respectively, 200 million, 1 billion and 500 million consumers. The cybercriminals used stolen passwords, email addresses and dates of birth to break into customers’ accounts at Yahoo, Google and other webmail providers. The hackers particularly targeted Russian journalists, US and Russian government officials, and private-sector employees of financial, transportation and other companies recognised as critical infrastructures in the US.
Insufficient security measures and failure to disclose
For years, Yahoo used inadequate measures to secure sensitive customer information. It secured a billion passwords stolen in 2013 using an outdated and untrustworthy MD-5 algorithm – a hash function designed back in 1991. Yahoo’s legal team and senior management knew about the data breaches, but failed to report them to consumers and governmental authorities. Yahoo only began disclosure in autumn 2016, when it reported one of the breaches amidst the acquisition of its web operations by Verizon Communications Inc. In its filings to the Security Exchange Commission in December 2016, Yahoo revealed the other incidents, including the one affecting 1 billion users. This combination of poor security and inadequate reporting has already led to severe consequences for Yahoo and its executives.
Financial, administrative and other implications
The disclosures delayed the closing of the acquisition deal and allowed Verizon to negotiate a USD 350 million discount on the initial USD 4.8 billion previously agreed between the parties. In addition, Verizon and Yahoo agreed to share the costs of the legal aftermath of the incidents.
According to its recent annual report (p. 45-47), Yahoo – a publicly owned company – also faces approximately 43 putative consumer class action lawsuits, four stockholder derivative actions and one putative stockholder class action. Some lawsuits target Yahoo’s executives individually. As Yahoo did not have cybersecurity liability insurance, the company will have to pay all expenses resulting from the data breaches out of its own pocket.
In addition, financial, consumer and data protection authorities in the US and EU have launched investigations into Yahoo’s cybersecurity practices. The combined EU data protection authorities are “deeply concerned” about the data breaches and will scrutinise the matter on both EU and national levels. The cybersecurity incidents have also affected Yahoo’s executives. Its general counsel resigned, and CEO Marissa Mayer gave up her cash bonus that could have amounted to USD 14 million.
Lessons to be learnt
The Yahoo case gives a unique insight into the costs and implications of failed cybersecurity governance. A successful cybersecurity strategy should not only include up-to-date and regularly-reviewed technical protection measures, but also contain incident response mechanisms, reporting procedures, and regular staff training. Companies should furthermore consider the benefits of cybersecurity insurance. While it may not always be possible to outsmart the hackers, companies can control and mitigate the gravest consequences of cybersecurity incidents.