On September 22, 2016, Yahoo! officially acknowledged the largest data breach in the history of the Internet. They evaluated the full extent of the breach at about 500 million Yahoo! user accounts (about 7% of the world’s population!).
A few days later, Business Insider reported that the number of affected accounts may be between 1 and 3 Billion. Yahoo!’s back-end system’s architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, and it is precisely this database that was compromised. Yahoo! has not confirmed the new numbers.
The full breadth of the incident still has to be assessed, but the information that was copied included full names, phone numbers, birth dates, email addresses, and even security question-and-answer pairs created by the user to authenticate the account. A large majority of passwords were encrypted and thus may still be protected, however even 1% of billions of users is still a considerable number of accounts.
Yahoo was initially among the World Wide Web’s most popular websites, with stock prices with all-time highs of US$118.75 during the dot-com bubble in 2000. Most Internet users at the time had a Yahoo! account that still existed in the UDB when the company was hacked (Pro tip: delete all of the accounts that you stop using. JustDelete.me or AccountKiller provide instructions to delete accounts or profiles from popular websites).
With all of the accounts that you manage daily, it’s understandable that you don’t remember those you had in 1999 (or maybe you’d rather forget about them!).
Yet, it’s likely that you are using the same authentication questions and that the answers have not changed. So let’s say you used the question “What is your mother’s maiden name?”: then you will have to change the passwords of all the accounts that you own that use this question as an authentication back-up. By not doing so, you may allow hackers to escalate your Internet accounts all the way through your actual banking account (hackers may use techniques such as phishing emails to obtain the missing data).
Yahoo! also owns many other applications that may have been affected, such as Flickr. Fortunately, Tumblr users should not be affected; given that their data is stored in a different database. That said, the accuracy of this settlement may need to be revised following Business Insider’s previously mentioned report, so I suggest changing your password anyway. With such an extended reach, it is likely that Yahoo! is not even aware of all the servers it possesses and will never know the complete extent of the breach. For instance, in the UK, Internet Service Providers Sky and BT issued warnings for their customers because their email services are provided by Yahoo!.
As I write these lines, most of these 500 million users (and still counting…) have absolutely no clue that their personally identifiable information (PII) was stolen. The same problem occurred with the MySpace hack; most of the accounts were inactive and notification e-mails were sent to old mailboxes.
But those who found out about the theft of their data have already initiated class-suits all over the United States, claiming a wide variety of violations, misconducts and damages.
This spectacular data breach offers a thought-provoking scenario to explore the legal risks that corporations may face due to poor cybersecurity and defective incident response planning.
Yahoo! claimed that the attack was ‘state-sponsored’.
Experts are skeptical.
To begin with, those who have followed the company may have noted that it was the object of “multiple serious hacks in recent years” and that it “has suffered through four chief information security officers between 2013-2015”. Among other things, 450,000 non-encrypted passwords were stolen in 2012.
Yahoo! also changed CEOs numerous times since 2009. The current CEO, Google’ executive Marissa Mayer, was blamed by an anonymous former employee for pushing security to the back end to prioritize economic aspects. A lengthy report by The New York Times exposes Yahoo!’s recurrent poor security choices and notes that:
“Certainly, many big companies have struggled with cyber attacks in recent years. But Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo’s leadership was often unwilling to make”.
Commentators note that the breach was initially discovered in 2014. At the moment, Mayer refused to force an automatic reset of all user passwords, a fundamental action following a data breach.
In July 2016, when Yahoo! received word that information about its users was sold on the DarkNet, it conducted an internal investigation that found no evidence to support the claim that the breach had occurred. It is Yahoo’s security team’s initiative to conduct a broader review that allowed the company to discover that 500 million credentials have been stolen in 2014.
One of the lawsuits filed by users points out that the average time to identify a hack is 191 days, and the average time to contain it is 58 days. It took Yahoo! two years to discover the security incident. That’s about 730 days, or four times the average. These are fairly poor results for a company that specializes in technological services.
On September 28, 2016, Bob Lord, Yahoo’s CISO, spoke at the Structure Security Conference in San Francisco. He explained that Yahoo! does not know whether the sale of its users’ credentials in July is related to the initial 2014 breach, but it prompted the inquiry which allowed the discovery.
The data that was sold this summer is believed to have been sold by hackers Peace_of_Mind and tessa88. An analysis revealed that these 200 million records were compiled from numerous third-parties and not stolen from Yahoo. The Hackers may just have thought that a “potential Yahoo breach may have been hype at the time to monetize the data, much of which was considered 'garbage' by experts”.
So what about the 500 million accounts? Were they stolen by an all-powerful nation-state? Experts have doubts. A report indicated that the “data is in SQL format, meaning it was a server-side dump”, and therefore, the hackers who breached Yahoo! “likely did so by exploiting a web-application vulnerability to gain access to the user database”. Another cybersecurity expert declared that “This is not in the spirit of government-sponsored hackers. This seems to be an amateur job rather than a sophisticated government”.
Maybe these experts do not have all of the data that Yahoo! has to conclude that a state-sponsored hack occurred. Nonetheless, lawyers may have been right when they noted that “Yahoo’s failure to safeguard its users’ very personal, sensitive information, in direct violation of its promises, is utterly unacceptable in this day and age. The fact that a breach of this magnitude went undetected at a tech giant like Yahoo! for two years is astounding.”
In the McMahon lawsuit, the attorneys wrote that Yahoo! “intentionally, willfully, recklessly, or negligently “failed to protect its computer systems and failed to tell users that their data “was not kept in accordance with applicable, required, and appropriate cyber-security protocols, policies and procedures.”
Beyond Yahoo!’s apparent poor cybersecurity, other concerns have emerged regarding the company’s overall response. It appears that the company’s CEO was aware of the breach in July, but has failed to notify users. A lawsuit filed in San Jose alleges that the company was “grossly negligent” as it knew of the breach long before it disclosed it. Florida Law, for instance, requires disclosure within a reasonable time frame, usually 30 days.
It is also noteworthy that Yahoo! is in the midst of a $4.8 billion acquisition by Verizon, following a merger signed on July 23rd, 2016. As part of that, Yahoo! affirmed to the Security Exchange Commission, on September 9th 2016, that it did not have knowledge of any data breach. Yet, the security incident was made public less than two weeks after this statement and circumstantial evidence suggest that Yahoo! was aware of the breach since at least July. This has prompted six Senators to address a letter directly to Mayer, requesting that she answer a series of questions. Non-disclosure would raise serious legal issues under the federal securities laws.
Related post: You've been hacked, now what?
The quick filing of lawsuits after a data breach is usual, but success is not. As Judge Hornby noted in the 2009 Hannaford decision, the cases almost uniformly assert that there is no recovery if there is only a risk of injury and no actual misuse, which is the case with most data breaches[i]. Nonetheless, Paul Bond eloquently wrote that:
“plaintiff’s attorneys of the privacy class action bar are the hackers of the American judicial system. Like hackers, plaintiffs’ attorneys mount a long-term, decentralized attack, probing for a weak point”.
In 2011, the Court of Appeal in the Hannaford case found an implied contract between companies and credit or debit card consumers according to which the former must take reasonable measures to protect the information (Anderson v. Hannaford Brothers Co., 2011 U.S. App. LEXIS 21239.).
While the jurisprudence continues to evolve, plaintiffs often turn to consumer’s statutes to show violations of laws and get statutory damages.
The Federal Trade Commission is also often involved. Its competency was recently confirmed in Wyndham Worldwide Corporation based on 15 U.S.C. § 45(a), which prohibits “unfair and deceptive acts or practices in or affecting commerce”. The failure to implement reasonable and appropriate measures to protect personal information is seen as contrary to this provision.
Overall, and even considering the mitigated success of private lawsuits, companies engage considerable resources in defending themselves through the many legal actions that follow a data breach. They also often opt for a settlement to limit damages. In August 2014, LinkedIn agreed to a $1.25 million settlement, in which each consumer was eligible for $50. The settlement also required the website to implement specific data security protocols, among them industry standard encryption. In November 2014, Sony Pictures Entertainment agreed to settle a lawsuit with a total price tag of about $15 million. The settlement also required that the corporation offer an ongoing ID protection service via AllClear which was valued at a total of $4 million.
The best approach to cybersecurity for middle-sized companies is to start by understanding the company's current cybersecurity posture to know where to focus its security efforts and opt for Managed Security Services to protect its critical assets and avoid pitfalls like those of Yahoo. If a Tech giant has trouble meeting industry standards, it should indicate that cybersecurity is best left with those that make it a full-time priority.
Managed Security Services allow for a 24/7 monitoring of networks to compare their behavior with that of other networks, based on a state-of-the-art knowledge base built from experiences with a wide variety of network architectures. Underfunded Computer Security Incident Response Teams (CSIRT) are unable to face the challenges of an evolving threat landscape.
[i] Alan Charles Raul et al., “Developments in Data Breach Liability” (2009) Privacy & Data Security Law J 733 at 733.