Seminar - Breach Case Analysis Case Study - Yahoo Data Breach

In this week students had to present a Power Point presentation on a data breach of their choise, from a provided list. The below is information taken from the Power Point presentation on the Yahoo Data Breach.

In what quite possibly could be the largest data breach to date, yahoo confirmed that 500 million accounts have been exposed.

  1. Names and email addresses
  2. Phone numbers and dates of birth
  3. Hashed passwords and encrypted security question answers

What happened?

  • Yahoo announced first details about the Yahoo cyber attack in September 2016. Hackers stole 500 million users’ data back in late 2014. Eight million of these accounts were UK accounts. Yahoo were aware of the intrusion but had not realized the extent of the breach. In July 2016; whilst investigating a separate data breach, Yahoo found information of 200 million customers’ accounts appear for sale on a darknet market site. The seller, with the nickname ‘Peace’, is believed to be a broker of information. They are also believed to be connected to data stolen previously from My Space and LinkedIn. 
  • Yahoo uses cookies to give users quick access to their username and password information without needing to re-enter it every time they log in on the site.  However, people believe that the hackers gained access to the proprietary code and therefore were able to forge cookies.  These cookies allow them to log into users’ accounts without even a password. This was the latest attack. The first attack in 2014 began with a phishing email to a company employee, which was successful.

Who was responsible? Very few details about the third Yahoo cyber-attack apart from the fact that hackers breached security in 2015-16. This more recent attack is not connected to the first two. According to InfoArmor, the Yahoo 2016 hackers probably operated out of Eastern Europe. Nobody knows for sure who the Yahoo hackers were. The private security company, InfoArmor, said that an elite group of hackers stole the Yahoo database. This is a group of hackers who hire out their services to the highest bidder. InfoArmor claims that the hacking team was ‘Group E’. They probably operate out of Eastern Europe, breached Yahoo and stole data for three private deals. Two of the three buyers are underground spammers while the third was a ‘state-sponsored actor’ interested in information on U.S government and military employees. Yahoo has made no comment about this story although in December, their Chief Information Security Officer, Bob Lord said: “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the Yahoo cyber-attack data theft the company disclosed on September 22nd. 2016.” Neither InfoArmor nor Yahoo has been more specific about which country/countries they believe to have paid the hackers for the information although there are rumors.

Were any escaltions stopped? How? Yahoo were aware of the breach which occurred in 2014 but did not report it until 2016. A large proportion of the data could have been protected by communicating to their user base and asking for simple password resets. Early communication would also have allowed for a coordinated effort with security and government services to limit the breach following a defined incident response plan. The delay in reporting the breach resulted in Yahoo being fined $35 million by the US Securities and Exchange Commission (SEC).

Legal Outcomes The Information Commissioners Office (ICO) investigated the Yahoo breach in the UK and found that Yahoo failed to notify its clients of such large breach, by remaining quiet for a period of 2 years. James Dipple-Johnstone, ICO’s deputy operations commissioner, criticized “inadequacies” that had been in place for a long time at Yahoo without being “discovered or addressed”. ICO stated that Yahoo had failed to take appropriate measures to prevent the theft of data and failed to ensure that data was processed by Yahoo’s US arm with appropriate data protection standards. As a result, they were fined £250,000 for the breach. On the other side, the USA followed similar steps. On April 24, 2018, the Securities and Exchange Commission (SEC) announced that Yahoo has agreed to pay $35 million penalty for failing to uphold their legal requirements in the breach.

Conclusion This breach identifies the importance of proper security implementations and disclosure policies. Yahoo were aware of a breach, however, did not act on it accordingly. Not only did they not act on the initial breach, but they also then withheld such a huge breach from their clients as well as their legal duties. Had they invested a small amount of money, for example, one out of the two fines, using the £250,000 to invest into proper security systems, they could have saved $35 million. Also, their reputation was severely damaged. During the attacks, Yahoo were in the process of selling the company to Verizon which of course did not settle for the original agreed amount, following the breach.

References:

Hill, M. and Swinhoe, D. (2022). The 15 biggest data breaches of the 21st century. [online] CSO Online. Available at: https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html. [Accessed 28 November 2023] Stone, N. (2017). The Yahoo Cyber Attack & What should you learn from it? - Cashfloat. [online] Cashfloat. Available at: https://www.cashfloat.co.uk/blog/technology-innovation/yahoo-cyber-attack/. [Accessed 28 November 2023] Nixa (n.d.). Responding to the Unprecedented Yahoo! Security Breach - Blog. [online] Nixa. Available at: https://nixa.ca/en/blog/understanding-and-responding-to-the-unprecedented-yahoo-security-breach/ [Accessed 28 Nov. 2023]. www.paulweiss.com. (n.d.). Yahoo Agrees to $35 Million SEC Penalty Over Cyber Incident. [online] Available at: https://www.paulweiss.com/practices/transactional/capital-markets/publications/yahoo-agrees-to-35-million-sec-penalty-for-failure-to-disclose-cyber-incident?id=26363. [Accessed 28 November 2023]. Gibbs, S. (2018). Yahoo fined £250,000 for hack that impacted 515,000 UK accounts. [online] the Guardian. Available at: https://www.theguardian.com/technology/2018/jun/12/yahoo-fined-hack-ico-uk-accounts-russia. [Accessed 28 November 2023].

Reflection: This was a interesting research topic as it expanded on previous knowledge of the legal requirements and implicatons of not reporting breaches. I did not have any challenges during this activity, as I enjoy research.