When Yahoo reported Thursday that hackers had breached its databases and gained access to users’ emails, dates of births, encrypted passwords and security answers, cybersecurity experts weren’t surprised. Cyberattacks are, after all, now par for the course, and no company is immune.
But what struck them as unusual was the size of the attack — with at least 500 million accounts affected, one of the largest in the history of cyber attacks — and that it took Yahoo two years to discover the breach.
“For a firm like Yahoo, which is a technology firm no less, you would expect that they would be able to detect and even disclose the breach a little quicker,” said Rahul Telang, an expert in data breaches and cyberhacks who teaches at Heinz College at Carnegie Mellon University. “It was surprising that Yahoo didn’t know about it until the user data hit the black market.”
It takes on average 201 days for a company to detect a data breach, according to the Ponemon Institute, a research firm that focuses on cybersecurity and privacy.
While 201 days is still a long time, technology companies tend to be more advanced and typically uncover attacks much sooner than their less tech-savvy counterparts, said Larry Ponemon, chairman of the Institute.
“Yahoo should have had the security infrastructure to detect it themselves, instead of accidentally discovering it,” Ponemon said.
Without knowing more about the details of the hack, it’s hard to pinpoint the vulnerability that led to the breach and what allowed it to go undetected since 2014. Yahoo said it believes the attack came from a state-sponsored actor, but did not provide any information on how they may have gotten into Yahoo’s systems.
Cybersecurity experts posit that a number of factors were likely at play, such as sloppy security practices, instability from high turnover on its security team and the companywide stress of finding a buyer.
“When your whole business is up for grabs and you don’t know where you will make money, the whole IT and security teams are under a lot of stress,” Telang said. “It’s easy to lose track.”
On top of that, Yahoo has churned through three chief information and security officers since 2014: Alex Stamos served for 16 months before jumping ship to Facebook; Ramses Martinez lasted only two months before leaving for Apple; and Bob Lord has held the role for the last 11 months. All these distractions probably made the company’s security secondary.
Tech firms typically recover quickly from data breaches if they respond fast and take the necessary steps to notify their customers, said Alex Heid, chief research officer at SecurityScorecard, a cybersecurity risk monitoring platform. Even companies whose data breaches included users’ credit card information, such as Target in 2013 and Home Depot in 2014, have bounced back.
But Yahoo may face additional scrutiny about the timing of its disclosure because the company’s $4.8-billion sale to Verizon is still pending, and Verizon was unaware of the security breach when the deal was made in July.
In a prepared statement, a Verizon spokesman said it was only notified this week. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the statement read.
While the security incident may have no material effect on the Verizon acquisition, it’s not unheard of for a deal to come undone because of a company’s weak security systems, Ponomon said. “If you look at a situation like this, why would Verizon want to acquire a company and incur this huge potential liability?” he said.
The company’s valuation could also to take a hit, affecting the acquisition price and potentially leading to investor litigation.
“Let’s say Verizon says, ‘We’re not going to pay whatever we’d agreed to pay for your shares because this is a huge problem that you should have known about before we got into this deal,’ and the price is negotiated down,” said Tyler Gerking, a litigator at law firm Farella Braun & Martel, “I could definitely foresee investor actions by Yahoo shareholders against Yahoo officers and directors.”
These are all possibilities, Heid said. Given the the number of accounts affected and the two years that have lapsed since the breach, it’s hard to know the extent of the damage caused and what further damage may lie ahead. The only thing that’s certain, he said, is Yahoo will not be the last company to experience a hack of this scale.
“With the way things are going, in a few months all eyes will be on a different company,” Heid said. “As soon as the next breach comes around that dwarfs this number, people will move on.”