Yahoo has certainly hit troubled waters of late – disappointing growth overshadowed by a massive data breach in August 2016 has hit the brand hard, not to mention throwing its $4.8bn Verizon deal under a cloud of uncertainty. The latest disclosure regarding the Yahoo hack will only prove to further muddy the troubled waters the search giant finds itself in, with the company admitting in a filing that some staff knew of the breach back in 2014.
In a filing with the US Securities and Exchange Commission, Yahoo said: “The company had identified that a state-sponsored actor had access to the company’s network in late 2014.”
The massive data breach first came to public attention in September 2016, when Yahoo publicly disclosed that a cyber attack had hit the company in 2014 and had potentially put the data of 500 million users at risk. However, it seems that some Yahoo personnel knew about the hack soon after it was said to have occurred.
The FT cited a person familiar with the investigation as saying that Yahoo originally didn’t have ‘the full picture’ of what happened because of the ‘sophisticated nature of the state-sponsored attacks”. The source went on to say that when Yahoo brought in outside experts to investigate the possibility of a separate breach, which turned out to be false, the company then formed a more complete picture.
However, the mere fact that Yahoo staff knew about the attack has caused many experts to slam the Internet giant, saying that this latest disclosure of knowledge is worse than the actual hack.
“Yahoo getting breached is unfortunate but, perhaps, understandable in the current climate when many companies are beginning to realise the question for them should be when, not if,” said Lee Munson, security researcher at Comparitech.com.
“The fact that Yahoo staff knew of the breach at the time it occurred and kept quiet is completely and utterly unforgivable. Not only is it what appears to be a complete cover-up as the company continues merger talks with Verizon, it is also a huge slap in the face to half a billion customers who must now be wondering whether they can ever trust Yahoo again.”
Some are pointing the finger of blame at the company culture as to the slow response following the Yahoo hack, even though we now know some staff knew of the attack. Drawing on experiences from the cybersecurity circuit this year, Stephen Gates, chief research intelligence analyst at NSFOCUS, said:
“From the recent keynote speeches in several cybersecurity conferences in the U.S., the audience learned that Yahoo had some serious internal cultural issues. According to the keynotes, the employees responsible for securing Yahoo from cyberattacks were publicly called “The Paranoids” within the organisation itself. If true, these types of findings lean one to believe that the highest ranking officers in the company are responsible for fostering this type of appalling culture, and should be held directly responsible for its result.”
In the world that we live in today, many security pros have long since adopted the when, not if, security approach. Did the Yahoo hack come as a surprise? Maybe not, as companies are told that attacks are now an inevitability in today’s world. The size of the Yahoo hack was certainly shocking, but the fact that Yahoo staff knew about the attack could prove the biggest shock of the whole saga.
It has become a PR disaster for Yahoo and, as any security pro knows, the first asset to protect is your corporate brand and reputation – after, of course, locking down systems in the immediate aftermath of a breach. This is why Yahoo is shaping up to be the poster-company for the true cost of a data breach:
“This ongoing saga from Yahoo has laid bare the true cost of cyber-attacks. The real risk doesn’t necessarily come from loss of intellectual property, or damage to business operations, but rather the ongoing harm to the organisation’s reputation,” said ViaSat’s Neil Fraser.
“The cost might not be immediately apparent, but over time – or if the business is in a sensitive period – it could easily reach billions of dollars. The stakes are so high that organisations need to treat cyber-attack not only as a threat, but as an inevitability; as
whether an attacker is a state, or state sponsored, a criminal enterprise, or a single individual looking to boost their reputation, they can cause irreparable damage. In this case, an attacker who was looking to sell the stolen data for $1,800 could easily have cost Yahoo! a million times that amount.”
Although Marissa Mayer, chief exec at Yahoo, was ‘heartened’ by the loyalty of users in an earnings call last month, the profits rise which the CEO reported may be seen to falter after this latest disclosure. Yahoo needs to prioritise transparency going forward, or continue to be the model example of how not to handle a data breach.
This article is from the CBROnline archive: some formatting and images may not be present.