Peter A Clarke

The Yahoo security breach which resulted in 500 million customer emails being compromised will become a case study in what not to do when suffering a data breach, how not to set up one’s cyber security system and how significant the reputational damage can be.

Yahoo said that an independent committee it set up to investigate  the 2014 incident found that the full scale of the breach was not uncovered at the time.  In filings with the US Securities and Exchange Commission it is clear that staff did know of the breach in late 2014.  The filing is a sober reminder, if one is required, that data breaches

Security Incidents

Description of Events

On September 22, 2016, we disclosed that a copy of certain user account information for approximately 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “2014 Security Incident”). The Company believes the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with the “bcrypt” hashing algorithm) and, in some cases, encrypted or unencrypted security questions and answers. Our forensic investigation indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. We have no evidence that the state-sponsored actor is currently in or accessing the Company’s network.

On December 14, 2016, we disclosed that, based on our outside forensic expert’s analysis of data files provided to the Company in November 2016 by law enforcement, we believe an unauthorized third party stole data associated with more than one billion user accounts in August 2013 (the “2013 Security Incident”). We have not been able to identify the intrusion associated with this theft, and we believe this incident is likely distinct from the 2014 Security Incident. For potentially affected accounts, the user account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the MD5 algorithm) and, in some cases, encrypted or unencrypted security questions and answers. The stolen information did not include passwords in clear text, payment card data, or bank account information.

In November and December 2016, we disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the investigation, we believe an unauthorized third party accessed the Company’s proprietary code to learn how to forge certain cookies. The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016 (the “Cookie Forging Activity”). We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 Security Incident. The forged cookies have been invalidated by the Company so they cannot be used to access user accounts.

……………

Our products and services involve the storage and transmission of Yahoo’s users’ and customers’ personal and proprietary information in our facilities and on our equipment, networks, and corporate systems. Yahoo is routinely targeted by outside third parties, including technically sophisticated and well-resourced state-sponsored actors, attempting to access or steal our user and customer data or otherwise compromise user accounts. We believe such a state-sponsored actor was responsible for the theft involved in the 2014 Security Incident and for at least some of the Cookie Forging Activity. Security breaches or other unauthorized access or actions expose us to a risk of theft of user data, regulatory actions, litigation, investigations, remediation costs, damage to our reputation and brand, loss of user and partner confidence in the security of our products and services and resulting fees, costs, and expenses, loss of revenue, damage to our reputation, and other potential liability. Outside parties may attempt to fraudulently induce our employees, users, partners, customers, or other parties to disclose sensitive information or take other actions to gain access to our data or our users’ or customers’ data, and such unauthorized access may continue undetected for an extended period of time. In addition, hardware, software, or applications we procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise network and data security. In addition, systems and software implemented by us or our partners may contain security vulnerabilities, or may be implemented improperly due to human error or limitations in affected systems. Additionally, some third parties, such as our distribution partners, service providers, vendors, and app developers, may receive, transmit, process, access or store information provided by us or by our users through systems and applications that are integrated with Yahoo systems, properties and services. If these third parties fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users’ data may be improperly accessed, used, or disclosed. Security breaches or other unauthorized data disclosure, acquisition or access (such as the Security Incidents) have resulted in, and may in the future result in, a combination of significant legal and financial exposure, increased remediation and other costs, damage to our reputation, and a loss of confidence in the security of our products, services, and networks that could have a significantly adverse effect on our business. We take steps to prevent unauthorized data disclosure or access to our systems; however, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be disguised or difficult to detect, or designed to remain dormant until a triggering event, we may be unable to anticipate these techniques or implement adequate preventative measures. Breaches of our security measures, such as the Security Incidents, or perceived breaches, have caused and may in the future cause, the market perception of the effectiveness of our security measures to be harmed and could cause us to lose users and customers, or detrimentally affect our relationships with distribution partners, service providers, vendors and app developers.