SEC Reportedly Probing Yahoo's Breach Notification SpeedShould Search Giant Have More Quickly Notified Investors About Two Breaches?
Yahoo is reportedly facing an investigation by U.S. authorities into whether it should have notified investors faster about two separate data breaches that it suffered in 2013 and 2014. Until last year, the 2013 breach remained undetected, while the full extent of the 2014 breach apparently wasn't understood (see Report: U.S. Data Breaches Reach Record Levels).
In December, the Securities and Exchange Commission launched an investigation into whether the search giant violated civil securities laws and issued requests for related documents, The Wall Street Journal reports, citing unnamed sources with knowledge of the investigation.
The SEC requires companies to report cyber incidents that may have an impact on corporate finances.
A civil case could result in the SEC imposing penalties on the organization that it's investigating, although the Yahoo investigation is reportedly still in its early stages and may not result in any such penalties.
The SEC declined to comment on the report.
Multiple investigations into Yahoo's 2013 and 2014 breaches are underway. In its November 2016 10-k quarterly SEC filing, Yahoo said that it "is cooperating with federal, state and foreign governmental officials and agencies seeking information and/or documents about the security incident and related matters." It listed those agencies and officials as including the SEC, as well as the U.S. Federal Trade Commission, multiple state attorneys general and the U.S. attorney's office for the Southern District of New York.
The filing adds that Yahoo "does not have cybersecurity liability insurance."
Reached for comment about The Wall Street Journal report, a Yahoo spokesman referred to the language in its November 2016 10-k filing with the SEC.
Historically, the SEC hasn't launched investigations into breach notification speed, according to cybersecurity consultant John Reed Stark, who previously ran the SEC's office of internet enforcement.
He tells The Wall Street Journal that prosecutors would typically never have any interest in how breaches were disclosed. "In my 20 years at the SEC, I never referred a disclosure case to a prosecutor," he said.
But that's been changing, with the SEC signaling last year that it's going to be taking a more hands-on approach to reviewing privacy and data protection practices at all publicly traded companies (see SEC Prepares for More Cybersecurity Oversight).
Spotlight: Two Mega-Breaches
The breach investigation reportedly ties to Yahoo warning on Dec. 14, 2016, that it had discovered a breach that appeared to date from August 2013, which put the data of 1 billion users at risk. "We have not been able to identify the intrusion associated with this theft," Yahoo CISO Steve Lord said at the time.
Lord said Yahoo believed that breach was separate from another late 2014 breach that it detailed on Sept. 22, 2016, which may have compromised information on 500 million or more users. Yahoo noted that while it had detected an attacker inside its network, the company failed to spot stolen data being exfiltrated.
Lord blamed the late-2014 breach on "a state-sponsored actor," but security firm InfoArmor suggested that mercenaries or a cybercrime gang - with no nation-state ties - might have been behind the attack.
Breach Detection Delays Are Common
The delay between Yahoo's 2013 breach occurring and Yahoo spotting it was lengthy, but there have been similar delays after some other breaches. Cybersecurity firm FireEye's Mandiant division, for example, reports that organizations require, on average, 146 days to discover they've been breached, but that average includes some organizations taking far, far longer. Slightly more than half of all compromised organizations also first learn of a breach from an external entity.
Once an organization spots a breach and its investigation progresses, it may find - one way or another - that many more individuals or records were affected than it first believed, according to data breach prevention and response expert Alan Brill of the corporate investigations and risk consulting firm Kroll.
In its November 2016 quarterly SEC filing, for example, Yahoo confirmed that insiders detected unauthorized access to its network in 2014. It also said Yahoo's board of directors has launched an independent committee to investigate the breach, including "the scope of the knowledge within the company in 2014 and thereafter regarding this access."
Yahoo's failure to spot the severity of its 2014 breach is not unique. In 2016, for example, 165 million LinkedIn account credentials came to light in connection with a 2012 breach of the site. Back in 2012, however, LinkedIn only confirmed that 6.5 million credentials - which appeared on a password-cracking forum - had been compromised. LinkedIn has repeatedly declined to comment on the discrepancy.
Verizon-Yahoo Deal: It's Complicated
The ongoing breach saga could complicate the July 2016 deal Yahoo reached with Verizon, which agreed to buy Yahoo's operating businesses for $4.8 billion.
Most organizations - barring a handful of bitcoin exchanges that have had their funds drained - face no long-term repercussions from suffering a breach, seeing both their stock price and reputations rebound, according to data breach expert Troy Hunt. LinkedIn, for example, went on to get purchased last year by Microsoft for $26.2 billion in cash (see LinkedIn Sale: Mega Bucks, No Matter Mega Breach).
But in Yahoo's case, both of its old breaches came to light only after the deal was closed.
Verizon has said that it's awaiting the full results of Yahoo's breach investigation to see if it has a negative effect on Yahoo's value or causes a decline in its user base (see Verizon's Yahoo Breach Question: What's 'Material'?).
Also Pending: Class-Action Lawsuits
Beyond the SEC investigation, Yahoo said in its November 10-k filing that the company was facing 23 consumer class action lawsuits in U.S. state and federal courts as well as abroad. "The plaintiffs, who purport to represent various classes of users, generally claim to have been harmed by the company's alleged actions and/or omissions in connection with the security incident and assert a variety of common law and statutory claims seeking monetary damages or other related relief," according to Yahoo's filing.
High-profile data breaches often spark a flurry of related class-action lawsuits, at least in U.S. courts. But most such cases fail (see Why So Many Data Breach Lawsuits Fail). Legal experts say that's because when consumers assert that they've been harmed by a breach, judges will typically look for financial-related proof of such harm. Because payment card issuers have historically compensated most, if not all, losses associated with stolen payment card data, proving such harm has been difficult.
In some cases, breached organizations have settled with consumers, which legal experts say is an attempt to avoid any type of unfavorable precedent being set if a judge should find in favor of breach lawsuit plaintiffs.
In March 2015, for example, retailer Target reached a settlement agreement over its massive 2013 data breach, agreeing to pay $10 million to the 40 million victims whose payment card data was stolen, as well as to reimburse plaintiffs' attorneys' fees and expenses up to $6.75 million. Separately, Target also reached a $19 million settlement agreement with MasterCard on behalf of affected card issuers.
The terms of the Target settlement enabled victims who shopped at an affected Target store from Nov. 27 to Dec. 18, 2013, to receive up to $10,000, provided they could document their losses. After paying such claims, the rest of the $10 million settlement was to be split equally between the remaining victims who hadn't been able to document any losses, meaning they could expect to see a maximum of $0.25 each.