Yahoo!, the technology tycoon that took the Internet by storm in the early 2000’s, announced that upwards of 500 million user accounts were victim to a data breach of the company’s technology infrastructure in early 2014. An uproar ensued, as people questioned why and how the Company could wait nearly two years to inform the public. The massive data breach of Yahoo’s infrastructure also affected many Flickr accounts tied to Yahoo ID’s for the photo-sharing service. A former Yahoo executive suggested that the number of effected users might be closer to one billion.
The theft is said to have included names, telephone numbers, dates of birth, security questions and answers, and email addresses. The Company believes that state- sponsored actors are to blame. Security analysts fear that with such a wide breadth of information accessed and depth of users effected, individuals could be victims of extreme “credential stuffing.” This is where hackers systematically enter the gathered information into multiple sensitive websites, like banks, email, and insurance accounts, hoping that people used the same credentials over and over.
For years, technology companies have been fighting off cyber attacks and “credential stuffing” scandals, in what proves to be a battle royale of innovation and adaptation. While Yahoo competitors, like Facebook and Google, began paying hackers to show them flaws in their security infrastructure as early as 2010, Yahoo waited nearly three years to follow suit. In 2013, the infamous Edward Snowden confirmed that Yahoo was a key accessible target in a number of cyber attacks.
Finally, in 2014 things were looking up for Yahoo with the hiring of Chief Information Officer, Alex Stamos. A lead player in the information securities space, Stamos tried to get Yahoo back on track. Stamos fashioned a young group of engineers, later dubbed the Paranoids, to promote privacy and anti-surveillance measures and collaborative security data measures. Stamos and the Parnoids strived to improve the Company’s security defenses. Amongst industry leaders, like Pintrest, Google, and Facebook, the Paranoids were known for their innovative ideas, including their efforts to adopt end-to-end encryption services on email messaging.
Unfortunately, CEO Marrisa Mayer was focused on growing the Company’s revenue and not losing the Company’s ever shrinking base of email users. This meant she and Stamos often disagreed on how to better Yahoo as a whole. The New York Times reports that Mayer “denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems.” Mayer even rejected what is, quite clearly an industry standard: automatic password protection reset measures. In the last couple years, several Paranoids have left the Company for jobs with its competitors, and early last year, Stamos left Yahoo for a position at Facebook. Thus, many are blaming Mayer for the breach, claiming that she rejected numerous attempts to update Yahoo’s security infrastructure and pushed away key members of Yahoo’s security team.
Several sources assert that Yahoo’s announcement of the 2014 breach was too little too late. Some question whether the Company waited to announce the breach until after they had solidified talks of the companies sale to Verizon. Indeed, Yahoo did not inform Verizon of the breach until less than two days before it announced the breach publicly. Moreover, the investigation that Yahoo launched into the breach started on July 30; only five days before Yahoo had agreed to sell Verizon its core business for $4.8 billion dollars. Technology and law experts agree that the breach significantly devalues Yahoo’s worth to Verizon, with the Company’s reputation plummeting by the day. Verizon’s lawyers will have to reassess the deal to decide if Yahoo handled the breach in a reasonable manner. Did Yahoo locate the breach and mitigate the damages as quickly and completely as possible? Verizon may also claim that the lack of known security breaches was a material component of the contract, a piece of the deal that ultimately should have been disclosed at negotiations. Indeed, the merger agreement between the parties states that no security breaches had occurred to Yahoos knowledge. The parties now know this was false, and so the were’ all watching to see if Yahoo can salvage this deal.
Aside from the legal ramifications of the breach in the Verizon negotiations, Yahoo is also facing a number of class-action lawsuits. Moreover, state officials are calling for answers. Vermont Senator, Patrick Leahy, joined by six other democratic senators wrote Mayer, demanding to know what the company is doing to prevent future data breaches. Other senators are asking that the Securities Exchange Commission thoroughly investigate the disclosure of the breach, details surrounding the breach, and the unreasonable delay in reporting the breach to the public.
Only time will tell how one of the largest breaches in history plays out! Let’s just hope it takes less than two years for Mayer to gives us some answers… because attorneys believe this is the perfect case for the SEC to enforce its new cyber security disclosure guideline it released back in 2011.
Anna-Bryce Flowe is a second year law student at Wake Forest University School of Law, where she is also a member of the Wake Forest AAJ Trial Team and Honor Council Treasurer. She holds a degree in Politics from New York University and worked for AT&T’s Premier Client Group, Corporate Sales before starting law school. Upon graduation, she plans to practice as a complex civil litigator, with an emphasis on business and international law.