Incident Of The Week: Multiple Yahoo Data Breaches Across 4 Years Result in a $117.5 Million Settlement
Phishing And Nation State Attacks Lead To Mega-Breach Of Former Leading Email Provider
Yahoo has had a years-long history of both data breaches and cases where hackers break into systems but do not take anything. The collective hacks have led to a settlement in which affected parties can participate. Here's what you need to know:
According to the website for the Yahoo data breach settlement, the company’s cyber security issues contained in this matter extended from 2012 to 2016. But, the information gets more specific and says data breaches involving stolen information occurred from 2013 and 2016, while so-called data security intrusions (where an infiltration happened without those responsible taking data) happened from at least January-April 2012.
Then, cybercriminals did not take the same kind of data in every case or behave the same way. For example, in 2012, two separate hackers broke into Yahoo's online infrastructure without taking anything.
The next year, cybercriminals behaved maliciously when they took records from all of Yahoo's accounts, which totaled about 3 billion. In that instance, the information seized by the hackers could have allowed them to access things like users' email accounts and calendars.
In 2014, hackers directly targeted Yahoo's user database, affecting about 500 million people. The cybercriminals reportedly got account details such as people's names, email addresses, passwords, phone numbers and birthdays.
The aftermath of that event continued for years later, sparking increased public awareness both about these breaches and the respective cyber security laws and regulations. It was not until 2018 that news broke about Yahoo's shell company receiving a $35 million fine for failing to disclose the 2014 incident.
The final cyber security matter addressed by the settlement happened from 2015 to September 2016. In that instance, hackers used cookies to break into the accounts of about 32 million individuals.
How Did Yahoo Respond?
Unfortunately, Yahoo failed to issue the kind of sweeping statement you might expect to give the public reassurance that the company has recommitted itself to cyber security in meaningful ways. Instead, the brand has a section on its website devoted to security notices. There, you can find the data breach notices that Yahoo sent to its users in September 2016, December 2016 and October 2017.
Here's a breakdown of what Yahoo pledged to do to stop future incidents in each case:
- Invalidated unencrypted security questions and answers
- Continually enhancing the systems that detect and prevent unauthorized access
- Required all affected and unaffected users to change their passwords
Yahoo's statements mentioned the company was working with law enforcement officials, but the documents did not give concrete details about the status of the investigations. The company did briefly reveal that a state-sponsored party may have been behind the 2014 issue.
Verizon Communications Inc., of which Yahoo is now a part, also promised to spend $306 million between 2019 and 2022 to improve Yahoo's cyber security, which is five times more than what Yahoo itself spent between 2013 and 2016. Verizon also indicated it would quadruple Yahoo's IT staff.
See Related: Telling The Cautionary Tales Of Cyber Crime
What Should CISOs Learn From This Breach?
The Yahoo data breach was, in part, as bad as it was because of poor security practices. Hackers gained access to Yahoo’s network through the use of a phishing scheme. All it took was one employee with network access clicking on a malicious link for a hacker to get through. Once in, the hackers were able to guarantee their continued access to the network. Also, some confidential data — including security questions and answers — was stored unencrypted by Yahoo.
CISOs should prepare for attacks that use social engineering just as much as brute-force attacks. This will require CISOs to provide some level of cyber security education to non-cyber security and non-tech savvy staff. CISOs should also ensure that basic security measures — like the encryption of identifying information — are in place.
What Should You Know About the Settlement?
In April 2019, Yahoo agreed to a $117.5 million settlement associated with the above incidents, which affected about 3 billion people. According to an article from Reuters, it covers approximately 896 million accounts belonging to as many as 194 million people in the U.S. and Israel.
Breaches Are Increasingly Prevalent Threats
The frequent news of breaches is enough to make people think that they're at risk by using the internet in any way. Although it took a while for sufficient corrective action to happen in Yahoo's case, that's hopefully changing now.
See Related: Top 5 Cyber Security Breaches Of 2019 So Far