Yahoo Cyber Attack Case Study

Yahoo! is a web services provider headquartered in Sunnyvale, California and owned by Verizon Media. The original Yahoo! Company was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 2, 1995. Yahoo was one of the pioneers of the early Internet era in the 1990s. It provides or provided a Web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports, and its social media website (Trautman & Ormerod, 2017).

In September 2016, Yahoo confirmed a massive security breach in which hackers swiped personal information associated with at least 500 million account that took in place in 2014, disclosed that a different attack in 2013 compromised more than 1 billion accounts (Trautman & Ormerod, 2017). Yahoo later admitted that all of the 3 billion user accounts had been hacked in 2013. This cyber-attack is now considered the largest known breach of its kind on the Internet.

Yahoo! has been taken to task for having a seemingly lax attitude towards security: the company reportedly does not implement new security features as fast as other Internet companies, and after Yahoo! was identified by Edward Snowden as a frequent target for state-sponsored hackers in 2013, it took the company a full year before hiring a dedicated chief information security officer (Trautman & Ormerod, 2017). Even though it is too early to say what impact the breach might have on Yahoo and its users because many questions remain, including the identity of the state-sponsored hackers behind it. But there are already some impact to Yahoo users and stakeholders. As Yahoo confirmed the stolen user information was being used primarily for spamming, i.e., sending spam to the people whose information was stolen (Trautman & Ormerod, 2017).

The breaches have impacted Verizon Communications’ July 2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a decrease of $350 million in the final price on the deal closed in June 2017 (Trautman & Ormerod, 2017). According to Reuters, In April 2018, the SEC announced that it had reached a deal with Altaba, the company that holds the assets of Yahoo! not purchased by Verizon, for US$35 million for failure to disclose the 2014 breach in a timely manner.

In response to the cyber attach, Yahoo! forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future. Even though Yahoo! has said that it has “revised” procedures for responding to cyber-security incidents, it is not clear currently what else has been done to beef up the security posture (Trautman & Ormerod, 2017).

If organizations are ambitious enough to seek to close the door on common types of cyberattack, they must also be realistic enough to accept that advanced attackers will get in. In which case it is crucial to be able to identify intrusions as quickly as possible — and to have processes that are known to provide the organization with an effective means to deal with the after-breach situation and to kick attackers back out(Gengler, 1999). A Security Operations Center (SOC) that sits at the heart of the organization’s cyber threat detection capability is an excellent starting point, providing a centralized, structured and coordinating hub for all cybersecurity activities (Gengler, 1999). SOCs are becoming increasingly common. This does not mean the SOC has to build capability for every possible aspect of cybersecurity strategy and leading practice. Many organizations choose to outsource some activities, rather than leaving them with the in-house SOC. Identifying and closing off these vulnerabilities in your organization before they are exploited is therefore crucial. Indeed with good cybersecurity hygiene in place, it should be possible to prevent a very sizeable proportion of common attacks. Other steps a business can take to better support the IT (information technology) department’s security efforts are being aware of the most common types of security breaches affecting your type of organisation, undertake a security risk review, develop policies, procedures and plans, Create a culture of cyber-security awareness, designate a person to act as Cyber Security Officer, review contractual agreements, and review intellectual property arrangements (Gengler, 1999).

References

Gengler, B. (1999). Cyber attacks from outside and inside. Computer Fraud & Security, 1999(5), 6-7. doi:10.1016/S1361-3723(99)90142-2

Trautman, L. J., & Ormerod, P. C. (2017). corporate directors' and officers' cybersecurity standard of care: The yahoo data breach. American University Law Review, 66(5), 1231-1291.

Kastrenakes, Jacob (Feb 6, 2019). "SEC issues $35 million fine over Yahoo failing to disclose data breach". Reuters