Further Analysis of The Yahoo! Breach

Continuing to follow developments in Yahoo’s recent breach, there are two things that happened since my “Yahoo! Password as a Service” post last week. The first was obvious and expected: multiple class-action lawsuits have been filed against the company. The second was expected, but didn’t happen: Yahoo still doesn’t say when it knew about the breach that occurred back in 2014. Yahoo’s handling of data security and its response to the breach have all the markings of a case study we’ll look back on for years to come. (Though we said the same about Target two years ago). Let’s look at how these two things – litigation and disclosure - affect cyber security.

The threat of civil litigation is definitely becoming a major factor in companies' stance on cyber security. As shown by many years of security research, three quarters of all data breaches could have been prevented by a cyber security program built on traditional security controls, with no fancy tools or exceptional expertise required. For example, the NSA recently reported that no zero days were used in any of the high profile breaches reported in the last two years. Cyber security is just a matter of priorities. And companies know that. That's why the first thing you typically hear now is that there was a nation-state actor behind every breach, implying tremendous sophistication of the attack and inability of an average corporate citizen to defend against it. That's where the litigation comes in handy: to assess the level of diligence the company employed to prevent such a breach.

What doesn't get enough attention though is the time it took the company to notify all affected parties of the breach. By seemingly concealing the breach for such a long time, Yahoo may have multiplied the damage caused by the breach itself. By now we are all well-trained on how to respond to yet another breach: change your password, check transactions for any anomalies, enroll into any enhanced security options offered, and move on. In the Yahoo case, attackers had access to our credentials for two years, without us knowing about it. How many of these credentials were used to breach individual financial accounts, or hijack a person's computer to join the botnet, or create an effective phishing campaign to penetrate corporate defenses? That's the damage that is unaccounted for, and if there's even a fraction of evidence supporting it, it could take litigation to a whole new level.