At first it seemed like a strange case of déjà vu, then the reality hit that Yahoo had, incredibly, been hit by a second, bigger data breach. Combined with the 2014 breach already disclosed by the company, the number of compromised accounts following this new 2013 breach stands at 1.5 billion. 1.5 billion.
As experts express their shock at the number of accounts hit, the time it took to discover the breach and the obvious security failings at Yahoo, I can’t help thinking that this saga is becoming the very definition of insanity – doing something over and over again and expecting a different result.
As experts and consumers demand answers from Yahoo, with the exact same questions asked in September earlier this year, there is one player in this saga which may look to break the cycle of insanity – with devastating results for Yahoo.
“Insanity: doing the same thing over and over again and expecting different results” – Albert Einstein
In the aftermath of the disclosure of the first data breach, Verizon’s general counsel Craig Silliman said that it was “reasonable” for Verizon to believe that the impact of the breach was “material”. This refers to specific legal language in the deal that says Verizon can withdraw if an event occurs which “reasonably can be expected to have a material adverse effect on the business, assets, properties, results of operation or financial condition of the business.”
Further reports suggested that Verizon was looking for a $1 billion price reduction in the acquisition deal, with the New York Post reporting that this move was being met with fierce resistance from Yahoo.
So now, with this second, bigger breach, will Verizon argue that there has indeed been a ’material adverse effect’ on the Yahoo assets it is set to acquire? Could we be looking at a major price cut in the deal, or could it be scrapped altogether?
Although Verizon told The Wall Street Journal that ‘all options were on the table’ following news of the second breach, the acquisition price tag seems set to be collateral damage in the fallout from the mega breaches.
Seeing as it took three years (three years!) to discover the largest known data breach in history, there is not much customers can do – Yahoo has advised the changing of passwords, but it’s been three years. The damage has already been done to the customer.
Damage to the company has already been seen too – the brand took a major hit after the first breach, with the second breach making the company synonymous with ‘the biggest known data breach in history’ – not a moniker which attracts customers or investors.
The company’s leadership has also been cast in a shadow of doubt, with CEO Marissa Mayer’s valiant statement following the first breach now proving to be without substance.
“In addition to our continued efforts to strengthen our business, we are busy preparing for integration with Verizon. We remain very confident, not only in the value of our business, but also in the value Yahoo products bring to our users’ lives,” said the Mayer.
“To that end, we take deep responsibility in protecting our users and the security of their information. We’re working hard to retain their trust and are heartened by their continued loyalty as seen in our user engagement trends.”
Those in the industry are betting on the $4.8bn price tag being slashed, with Taylor Wessing’s Paul Glass arguing that the price of the deal will be the major casualty of this mega breach.
“This latest breach must have a significant impact on the price of the Verizon acquisition. The scale of the two breaches, coupled with what they appear to show about Yahoo’s approach to security, will surely add even more weight to Verizon significantly lowering the purchase price,” said Mr Glass.
John Madelin, CEO at RelianceACSN, agrees that Verizon will do their own hacking; slashing the price of the deal by more than double what was sought after following the first hack.
“If Verizon were seeking a billion-dollar discount from the agreed $4.8bn takeover, then logically a breach twice the size should shave off a further $2bn.”
Although this is just mere speculation at such an early stage following the disclosure of the second mega breach, slashing the acquisition price has consequences which extend far past Yahoo having a couple of billion less in its post-acquisition coffers.
“Such disclosure, taking into consideration the unclear and even suspicious disclosure timeline – just before the buyout, may provide a valid reason for Yahoo’s shareholders to sue Yahoo’s top management if the deal fails or brings less money than expected,” said CEO IIia Kolochenko of High-Tech Bridge.
There remains many a turbulent month in Yahoo’s future – with the company looking set to leave the negotiating table a billion or so lighter than when talks first started. Although Yahoo cannot fix the damage to customer, brand and business, other companies should take heed of this mega breach saga.
John Madelin expects that “C-Suite and board members around the business community will be following this very closely, and reconsider their approach to security in proportion to losses Yahoo will suffer”, while Last line’s Brain Laing believes that a Verizon price cut may ‘stand as a sober reminder how important it is to get a state-of-art cyber defence strategy in place.”
Companies need to be guided by the failings of Yahoo, with Andrew Bushby, UK director of Fidelis Cybersecurity, urging companies worldwide to reconsider their security posture.
“It’s becoming increasingly clear that no company is immune from attack and as more companies are breached, more data will be up for sale in the public domain, making further attacks more likely – in essence, this means that preventative security solutions are no longer enough.”
Gartner Research Director Jonathan Care recommended to CBR a fourfold strategy for organisations to engage in:
Predicting threats and understanding risk
Protecting the organisation against threats
Detecting threats in the clear and certain anticipation that there are well resourced, well-funded adversaries with skills and time that are in excess of our own. In addition it should be noted that the risk of insider threat rises when a company is in a turbulent process such as an acquisition or even downturn. We need to deploy machine analytics
Responding with a well-rehearsed incident process to remedy an attack and restore normal business operation. This in many ways is the key role of the modern CISO – not to be the defender of the battlements, but to ensure business survivability.