One day after Yahoo disclosed one of the largest data breaches in history, Internet and data security experts continue to weigh in on the historic incident that compromised over 500 million user accounts. To that end, SCMagazine.com presents three key questions, as observers assess short and long-term ramifications for the Internet giant, its customers, and the infosec community as a whole.
What will this cost Yahoo, and how bad is the damage?
The 2016 Ponemon Cost of Data Breach Study found that the average consolidated total cost of a data breach grew from US$3.79 million (£2.9 million) last year to US$4 million (£3 million) this year. Financially, Yahoo will likely be on the hook for costs related to forensic investigations, mass notifications, remediation efforts and potentially future lawsuits.
The breach could also impact Yahoo's US$4.8 billion (£3.6 billion) acquisition by Verizon, which announced plans to purchase the Internet company in July. In its own separate statement, Verizon yesterday acknowledged in a corporate statement that it only learned about the breach “within the last two days.”
“This is a nightmare to be going through a large data breach while also completing an acquisition at the same time,” said Jeff Schilling, chief of operations and security at data breach prevention company Armor. “A breach of this size would likely affect the valuation of Yahoo. And, it reinforces the need for comprehensive due diligence of IT infrastructure, especially cyber security posture, in the M&A process.”
“In summary, this breach is concerning on two fronts – the sheer scale and the apparent lack of understanding of the cyber security landscape of a high-value acquisition target. There is a tremendous lesson to be learned here.”
Yahoo also could face a potential backlash from disenfranchised customers who could choose to move on from its web services such as email. “Like all companies who suffer this type of attack, the biggest risk is always the reputational risk, and this is obviously a big reputational hit,” said Brenda Sharton, litigation partner and co-chair of the global Privacy & Cybersecurity practice at Goodwin, in a phone interview with SC.
In the wake of the Yahoo breach, encryption company Alertsec released results from a survey that demonstrates how breaches can damage a brand. According to the polls, 17 percent of men and 11 percent of women said their trust would be permanently lost following a data breach.
“Alertsec's brand value research demonstrates just how difficult it will be for Yahoo's brand to recover from this breach," said Ebba Blitz, CEO of Alertsec, in an email to SC. “Customers who are affected by data breaches suffer a significant loss of trust..."
Is it too early to judge Yahoo's incident detection and response efforts?
Not if you're the research firm Forrester, which published a critical “Quick Take” on the Yahoo breach today. Jeff Pollard, a Forrester principal analyst specialising in the security and risk industry, told SC that “Yahoo seems disconnected from their users with this breach. They don't seem to really understand what this means for their users and they seem to not be handling the breach response in a way that shows they've learned any lessons from other breach responses over the last few years.
The Forrester report criticised Yahoo's disclosure announcement for prominently referencing the alleged involvement of a nation-state, opining that the company was trying to make itself look like it was overmatched from a cybersecurity perspective. “[Yahoo was] almost saying ‘This wasn't our fault because it was a nation-state and they're advanced.' And that's just not true… It is their fault, regardless,” said Pollard.
Forrester also accused Yahoo of downplaying the significance of the breach and compromised data, withholding details of the incident, demonstrating a lack of clarity regarding what information was encrypted, and minimising coverage of the announcement on Yahoo's own website. “Looking at Yahoo within a few hours of the breach, they literally had more headlines about Brad and Angelina than they did about the breach,” Pollard remarked.
Others questioned why it took so long for Yahoo to identify and confirm the breach, which occurred in late 2014. “It is quite surprising that a tech firm like Yahoo would not be able to detect a breach for so long,” said Rahul Telang, a data breach expert and professor of information systems at Carnegie Mellon University's Heinz College, in an email interview with SC. “It does not look good for Yahoo. Having a breach is one thing, but a quick and timely detection and disclosure can alleviate the bad press associated with the breach.”
James Maude, senior security engineer at Avecto, expressed a similar sentiment in a statement emailed to SC. “Users should be concerned about how a behemoth of the Internet failed to notice this for such a long period of time. This is especially concerning as Yahoo promised to have overhauled security following the allegations of government interference in the Snowden documents,” said Maude.
“Time and time again we see organisations failing to notice suspicious activity occurring in their environment and on their endpoints, as they are reliant on failing detection solutions that simply can't spot unique targeted attacks,” Maude continued, also noting that Yahoo's would-be parent company Verizon publishes an industry leading report on data breaches, which could lead to “a few awkward conversations happening internally this week.”
Yahoo uncovered the mega-breach while investigating claims of yet another breach involving a hacker going by the nickname Peace, who was reportedly selling on the dark web data belonging to around 200 million Yahoo accounts. Pollard from Forrester wondered what became of this original lead. “Were these in any way affiliated with each other from a threat actor perspective or an information-sharing perspective? If not, then it certainly raises the questions of how many threat actors have been able to capture a data set of this size from Yahoo.”
What do the perpetrators plan to do with the data? And what can companies like Yahoo do to better protect our data moving forward?
There's no question that digital data is a valuable commodity for legitimate corporations and bad actors alike. Data stolen from Yahoo's network may have included names, email address telephone numbers, birth dates, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers.
Cybercriminals can use this information to craft convincing spear phishing emails targeting Yahoo users and their contacts. Or they can leverage the data to try breaking into other web service accounts that might share the same passwords.
Sharton from Goodwin recalled several major companies experiencing similar breaches approximately two years ago “where it was a little bit of a head-scratcher because the hackers would go in and just get the passwords” rather than further probe the network for potentially more valuable data.
Since then, she said, it's become clear that the perpetrators were “banking on the fact that people tend to use the same passwords” across multiple services, which allows cybercriminals to access these accounts as well. Experts have advised online account holders to use long, complex passwords, change passwords frequently and use multi-factor authentication.
If a nation-state is actually behind the attacks, it can also potentially use this information for intelligence-gathering and extortion.
“It is likely the threat actors will use this data to do brute-force attempts against other cloud services, hoping some of the 500 million victims used their credentials for multiple sites,” said Schilling from Armor. “The Chinese have a track record of grabbing large data sets from companies and is probably one of the top suspects.”
“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state's intelligence services could find and access the messages of individuals with political, government, military and even corporate public profiles,” said Steve Grobman, Intel Security CTO, in comments emailed to SC.
“Consider the recent compromise and disclosure of Former Secretary of State Colin Powell's personal email messages… The emails of the less tame or even reckless candidate, three-letter agency chair, general or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission or influence high-level negotiations and decisions. The incentive is there, the reputation threat is real, and 500 million is tremendous worldwide reach.”
Sharton's colleague Karen Neuman, former DHS Chief Privacy Officer and a partner and lead at Goodwin's DC privacy practice, said that as large-scale breaches bcome the norm, companies and govenrments may have to raise their standards for data stewardship.
This would involve a focus “not only on protecting network perimeter from intrusions, but also “using very sophisticated technologies to prevent exfiltration of valuable corporate data, which could include personal information,” said Neuman.
“I think what you're going to start seeing is more of a conversation [around] deployment of these tools in the context of potential regulatory security or even litigation,” Neuman continued. “The adoption of these tools could represent an evolution in the legal standard of… what court and regulators are going to require of companies.”