Taking stock of the massive Yahoo data breach

With help from Cory Bennett, Eric Geller and Martin Matishak

RAMIFICATIONS OF THE YAHOO BREACH — Could the massive Yahoo data breach be the first to actually derail a potential merger or acquisition? That’s what some in the tech world were wondering on Thursday as news emerged that hackers had pilfered the account information of over 500 million Yahoo users two years ago. The company’s bombshell admission , and accusation that a foreign government is behind the digital heist, comes just months after Verizon announced it was planning to acquire Yahoo’s major business properties for $4.83 billion in cash. The telecom bigwig said it was kept in the dark about the breach, and had only learned of it “within the last two days.” The company still has “limited information” about the incident, a spokesman said, and is evaluating the breach “through the lens of overall Verizon interests.”


If Verizon backs away from its purchase, it would be “one of the first times where one of these mega-breaches actually swayed the market,” according to Alex Heid, chief research officer with Security Scorecard, which tracks companies’ digital security practices. Major firms in the past that suffered from jolting hacks — Target, Home Depot, JPMorgan — experienced short-term stock dips, and spent millions on breach recovery efforts, but were not significantly affected in the long run.

— THE NATURE OF THE ATTACK: Because of its potential impact on the merger, the Yahoo breach could mark a departure point in the kinds of attacks we’ll see in the future, said Justin Fier, director of cyber intelligence and analysis at Darktrace. “It could possibly serve as a herald to increasing ‘trust attacks’ — attacks that have the potential to degrade credibility or public confidence,” he said. “This could be the first time we see an attack aimed at directing economic influence vs. political.”

There could be two different Yahoo breaches here. According to Motherboard, the company might have discovered the 2014 attack when it looked into August claims from a hacker with the handle “Peace” who was allegedly selling Yahoo and other credentials online. “There are questions to be answered around Yahoo’s claim that this was a state-sponsored hacker,” said Jeremiah Grossman, chief of security strategy for SentinelOne and a former information security officer at Yahoo. “State-sponsored adversaries don’t typically publicly share stolen data or sell it,” and Peace “was all about selling stolen Yahoo account data, so it’s unlikely he was state-sponsored. And if so, this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.” ABC News reported that Yahoo only learned of the 2014 breach “in the last few weeks,” and says the FBI is investigating.

— THE POLICY SIDE: Sen. Mark Warner said the delay between when the attack happened and when it was publicly disclosed demonstrates the need for Congress to pass strong, nationwide data breach notification standards legislation. “While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today,” Warner said. “Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue, and I urge my colleagues to work together to pass this essential legislation.” Data breach bills have stalled in both the House and Senate this year.

HAPPY FRIDAY and welcome to Morning Cybersecurity! Your MC host’s sporadic September vacation schedule is set to renew again today, so stay in touch with the rest of the team while I’m gone. You can still send thoughts, feedback and especially your tips to [email protected] , and be sure to follow @tstarks , @POLITICOPro and @MorningCybersec . But full team info is below.

IT WAS THE RUSSIANS, I TELL YOU! — After receiving numerous government briefings, the top Democrats on the House and Senate Intelligence committees have concluded that senior Russian officials are trying to disrupt or sway the U.S. elections. “At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election — we can see no other rationale for the behavior of the Russians,” said Sen. Dianne Feinstein and Rep. Adam Schiff in a joint statement on Thursday. To this point, lawmakers have been cautious to defer to the Obama administration’s ongoing investigation, and not actually blame the Russians for the series of hacks on Democratic organizations and other elections systems. But the Feinstein and Schiff remarks reveal the growing frustration on Capitol Hill that the White House has yet to publicly rebuke Moscow for the incidents.

WE’RE HERE, GET USED TO IT — The sponsor of new election cybersecurity legislation wants state officials to understand that the federal government has an important role in protecting the integrity of elections. “While states may object to a growing federal role in the election process, it is important to note that the process of voting is a matter of national security,” said Rep. Hank Johnson, who this week introduced two election security bills , in an interview. “The inability for state officials to keep voters’ private information stored in secure facilities, to have machines that have easy to read ballots, or the use of machines that inaccurately tabulate votes, is a threat to our electoral process.” Johnson was responding to an allegation by Georgia Secretary of State Brian Kemp that federal cybersecurity assistance in the state-run electoral process amounted to a power grab.

One of Johnson’s bills directs the Department of Homeland Security to treat elections like other critical national assets, such as power plants and telecommunications facilities. The second measure attempts to move states away from electronic voting machines that do not use paper audit trails. “The federal government must put conditions on the use of federal funds” for voting technology, Johnson said. “This legislation promotes competition and innovation in the election/voting technology space on the manufacturing side.”

IN CONTEMPT OF CONTEMPT — The House Oversight Committee voted along party lines Thursday in favor of a resolution holding former Hillary Clinton tech aide Bryan Pagliano in contempt for refusing to testify about her private email server. Democrats got a little testy. Virgin Islands Del. Stacey Plaskett said such behavior was “destroying the committee,” and Rep. Gerry Connolly, asked how he would vote, answered, “Never, no way, no how, no.”

WE RECOGNIZE WE HAVE TO MODERNIZE — The House on Thursday unanimously passed a bill that would create an information technology upgrade fund. The Modernizing Government Technology Act — from House Oversight IT Subcommittee Chairman Will Hurd — would establish a government-wide IT modernization fund, a key tenet of President Barack Obama’s Cybersecurity National Action Plan . It would also direct agencies to create “working capital funds” for upgrading their computer systems. “This legislation will help federal agencies rapidly upgrade technology systems to improve efficiency, boost cybersecurity, and save money over the long term,” said House Minority Whip Steny Hoyer, who introduced the IT modernization fund bill that was rolled into this legislation, in a statement. The Information Technology Industry Council urged the Senate to quickly take up the MGT Act.

ENCRYPTION? WHO KNOWS? — On Thursday, the House convened an all-member classified briefing about the recent bombings in New York and New Jersey that wounded dozens. Officials from the FBI, Homeland Security Department and the National Counterterrorism Center updated lawmakers on the latest in their nearly weeklong investigation of suspected bomber Ahmad Khan Rahami. But as tight-lipped members emerged, it was unclear if there were any takeaways — particularly on whether Rahami used encryption to help hide his plans. “I didn’t learn anything new,” House Intelligence Committee Chairman Devin Nunes told reporters. But Intelligence panel member Peter King begged to differ. He picked up “a few things,” he told MC. However, “I knew a lot of it, because I’ve been following it in New York.” King declined to say whether encryption even came up during the closed-door session.

DIUX IN NYC, MAYBE — Defense Secretary Ash Carter, who’s been on something of a tear in terms of opening technology innovation hubs, got props Thursday from New York Sen. Kirsten Gillibrand. “I think the Defense Innovation Unit Experimental that you started in Silicon Valley, and now have expanded to both Boston and Austin, is really exciting,” she said during a Senate Armed Services Committee hearing. “And I actually would invite you to look at New York for your next site, because we have so [much] venture capital high-tech developing there, it's becoming sort of this new Silicon Valley.” Gillibrand also asked Carter for a list of “further authorities or resources you need to continue to develop the strongest cyber force we possibly can,” so she can incorporate those requests into next year’s National Defense Authorization Act. “I think this effort you're doing needs thoughtful and continual investment of thinking and resources,” she said.

TWEET OF THE DAY — Yahoo puns. So many Yahoo puns .

RECENTLY ON PRO CYBERSECURITY — DC Leaks, the same hacker that hit Colin Powell, released the personal emails of a White House staffer. … DHS Secretary Jeh Johnson detailed how his agency is offering to help states protect elections from cyberattack. … Defense Secretary Ash Carter said the U.S. would respond to a digital attack “just like any other attack.” … Carter also told Congress no decision has been made about elevating U.S. Cyber Command to an independent combatant command. … The U.S. could fall behind in the race for cybersecurity specialists. … Concerned lawmakers want a review of the Committee on Foreign Investment in the U.S.

QUICK BYTES

— “Exclusive: Probe of leaked U.S. NSA hacking tools examines operative's 'mistake.’” Reuters .

— Federal cyber incidents have jumped considerably over the past decade, according to the GAO. The Washington Post .

— Rep. Mike Honda sued a challenger whom he claimed hacked his donor information. The Hill .

— “U.S. spies finally embracing iPhones, wireless connections.” Bloomberg .

— The Air Force is gearing up for cyberwar; here’s how: Defense One .

— Federal News Radio surveyed folks on the president’s proposed IT Modernization Fund and other matters.

— A subreddit has allegedly leaked Mormon Church documents.

— “HTML standardization group calls on W3C to protect security researchers from DRM.” Boing Boing .

That’s all for today. The day in which I will have all of the sleep.

Stay in touch with the whole team: Cory Bennett ( [email protected] , @Cory_Bennett ); Bryan Bender ( [email protected] , @BryanDBender ); Eric Geller ( [email protected] , @ericgeller ); Martin Matishak ( [email protected] , @martinmatishak ) and Tim Starks ( [email protected] , @timstarks ).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks