Government Probes Certain for Massive Yahoo Breach, But Experts Question Impact

Learning about Yahoo's recent revelation that a billion user accounts were compromised three years ago (see 1612140076), experts' views were mixed among those we interviewed Thursday on whether more congressional and regulatory scrutiny would be helpful and how the latest incident would affect the company's takeover by Verizon. It's the second data breach incident Yahoo revealed within three months. In September, the company said 500 million user accounts were compromised in late 2014 (see 1609220046).

“I don't think Congress can do much about it," said privacy and data-security lawyer Edward McAndrew of Ballard Spahr. "I'd be very surprised here if regulatory agencies at the federal, state and perhaps international level do not launch investigations." He said, to put it in perspective, FTC Chairwoman Edith Ramirez called the data breach settlement with infidelity website Ashley Madison Wednesday (see 1612140068) one of the biggest ever, and it involved 36 million users.

In the latest revelation, experts said the theft of secret password reset questions -- a mother's maiden name, first car or the name of a street that an individual grew up on -- was troubling because a hacker with this information along with a stolen email address can now get an account password. They said if the source code for cookies was compromised, a hacker with a Yahoo user's email address could easily generate a cookie and not need a password. With cookie spoofing, "the hackers here found a way to delete that layer of authentication and with just passwords in addition to that it became very easy to gain access to the accounts," said McAndrew, saying the number of records stolen didn't surprise him.

Verizon said in a statement that it would continue to evaluate the situation. A Yahoo spokeswoman emailed: "We are confident in Yahoo’s value and we continue to work towards integration with Verizon." McAndrew said Verizon should be focusing on these disclosures if there's a loss of users or change in user behavior with Yahoo, which could impact the deal's value. He said such incidents "could be a bit of a bellwether of what materiality really means in a factual sense" if Verizon were to alter or walk away from the purchase. Many public companies are disclosing cyber as a major potential risk in operations, but McAndrew said "none, to my knowledge" have reported they've experienced an incident that could be material in securities law.

Cybersecurity consultant Mark Graff called the breach "historic" and "horrifying." He said what's unusual is the sheer size and that the company knew it has been a "world-class target" for some time. "They have a repository of information on such a scale that it is of significant strategic value to nation states like Russia, like China, who want to build up an understanding, a map if you will, of the people and the relationships in the United States," said Graff, a former chief information security officer for Nasdaq and before that the Lawrence Livermore National Laboratory. Yahoo or its investigators haven't officially blamed any party for the break-in, but Graff said that style of "slow-paced, long-game information gathering" is typically attributed to nation states. By harvesting this information, nation-state hackers can get data about high-level government officials to impersonate or compromise them, he said.

“Those are genuinely spectacular data breaches, and for them to be occurring at the same company is deeply problematic and troubling," said World Privacy Forum Executive Director Pam Dixon. Additional scrutiny is needed for Yahoo and others that have a pattern of data breaches, she said. She said the FTC could impose an annual security audit and Congress can enact national data breach notification legislation. She said that users need to learn about two-factor authentication to help protect their accounts.

Experts said it's unclear whether Congress will take up data breach notification legislation, which would require companies to disclose a breach in a more timely manner. Also unclear is whether Yahoo knew about the breach three years ago and only disclosed it now or if it just discovered the breach, one expert said.

Online Trust Alliance President Craig Spiezle said FCC ISP privacy rules impose data breach notification on carriers like Verizon, though he said he didn't think the telco would bear any liability from the Yahoo fallout. He said a set of clear, rigorous notification standards would benefit both consumers and businesses that would know how to navigate and operate their businesses when a breach incident occurs. If the next Congress may rolls back those rules, which is a possibility, (see 1612020035), Spiezle said it could have long-term impacts of data security and privacy.

Graff said companies need first-rate security experts at the top who can design secure systems, and Yahoo's breaches in 2013 and 2014 show that firm has systemic problems. He said the incidents made "a great argument for regulation or continued regulation" requiring publicly held companies to make breach information available to "gain visibility about who we want to do business with." Graff wants cybersecurity professionals who design the defenses to be licensed similar to how doctors, attorneys and architects are certified. "There's so much at stake now that you really can't leave it up to people who kind of make it up as they go along," he said.

“With cyber, we’re seeing a rapid scalability in attacks and the number of impacted victims," McAndrew said. "We’re seeing it with [distributed denial of service] attacks where the amount of traffic being thrown at websites to take them down is increasing exponentially," he said, as in the recent botnet attack on DynDNS (see 1611150059).