Yahoo and Verizon have finally agreed on a deal, hundreds of millions of dollars below its first asking price. Verizon will now acquire Yahoo for US$4.48 billion (£3.6 billion), US$350 million (£281 million) below its original proposition.
The companies finally signed the deal on 19 Feb after many months of negotiations and delays. Much of the delay, and discount, has reportedly come as a result of the disclosure of two major breaches by Yahoo and the resulting loss in value and ensuing liability that Verizon may adopt as part of its acquisition.
Yahoo will actually be discounted by even more than originally expected. Reports came out earlier this month that the sale of Yahoo to global media giant Verizon would be discounted by only US$300 million (£240 million).
Matt Middleton-Leal, regional VP for the UK, Ireland and Northern Europe at CyberArk told SC Media UK that, “Verizon's cut-price deal to acquire Yahoo shows just how costly data breaches can be. The £281m knocked off the original deal is indicative not just of damage to the company's reputation but also to the potential cost of future lawsuits. The fallout of this deal should serve to cement the topic of cyber-security as a Board-level imperative. The risk of not doing so is just too great.”
Verizon first announced its intentions to acquire the company in July 2016, for US$4.8 billion (£3.85 billion). In September, Yahoo announced that the data of 500 million customers had been accessed in 2014 by what it believed to be a state-sponsored adversary. In December Yahoo announced in a blogpost that in 2013, that what it believed to be the same adversary, had accessed the accounts of one billion users, stealing their names, emails, phone numbers, dates of birth and MD5 encrypted passwords.
It was later revealed by a US Securities and Exchange Commission (SEC) filing that certain Yahoo executives had known about the breach but had not told users until 2016.
Rumours quickly abounded about what effect this would have on the billion dollar deal, with the two companies remaining quiet on the specifics.
The pall cast by those two breaches has not quite lifted. In late January, the SEC was said to be investigating the company over its failure to inform stakeholders of its breach. Even earlier this month Yahoo sent out emails to users that it believed some accounts were being attacked using information taken from the mammoth breaches of the year before.
Despite Yahoo's troubles, and its considerable devaluation, the deal has not been derailed. Reuters recently reported that Verizon had conducted a brand study showing that Yahoo's reputation remained resilient in the face of some of the biggest breaches ever recorded. The report added that the loyalty of Yahoo's users along with the great amounts of data it held were valuable enough for the deal to go ahead.
The companies told press earlier this week that they expect the deal to finally close in the second quarter of this year.
Rob Norris, VP head of enterprise and cyber-security EMEIA at Fujitsu told SC that this will serve as a wake up call: “today's news shows that a cyber-attack could have a significant impact for companies in merger and acquisition discussions.”“The damage to reputation and brand has always been a primary reason for concern for organisations who weren't seen to be implementing sufficient housekeeping and security controls, but huge ICO fines coupled with real damage to a company valuation will ensure that cyber-security related issues become an even higher priority.”