Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Yahoo Takes $350 Million Hit in Verizon Deal

Acquisition Will Go Through, But at a Price for Search Giant
Yahoo Takes $350 Million Hit in Verizon Deal
Yahoo's headquarters in Sunnyvale, Calif.

Yahoo's data breach misfortunes carry a steep price. The search giant's acquisition by Verizon Communications will go ahead, but the original $4.8 billion purchase price agreed to in July 2016 will be discounted by $350 million, the companies say.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The deal, now valued at $4.48 billion, is expected to close by the end of June. Even so, Yahoo investors may be breathing a sigh of relief, since at one time Verizon was rumored to be seeking a $1 billion discount.

Yahoo had the misfortune to have disclosed three massive data breaches - one disclosed in September 2016 and two in December 2016 - after hammering out the acquisition deal. Those breaches collectively compromised more than 1 billion accounts, sometimes more than once. The disclosures cast doubt on whether Verizon would follow through with the acquisition and became a case study on the long-term business impact that apparent security lapses might pose on big business deals.

Verizon, however, has stood by its decision to push ahead. "We have always believed this acquisition makes strategic sense," says Marni Walden, Verizon executive vice president.

But Verizon executives also believe that breach-related costs will continue to mount. So as part of Verizon's revised deal, Yahoo will pay half of all costs related to government investigations - outside of any Securities and Exchange Commission investigations - as well as relating to third-party litigation tied to the breaches. And Yahoo, which did not carry cybersecurity insurance, must absorb all costs stemming from shareholder lawsuits and SEC investigations.

The SEC is pursuing at least two lines of inquiry: whether Yahoo waited too long to notify breach victims, and whether the search giant violated securities laws by not providing documents to the agency related to the breaches (see SEC Reportedly Probing Yahoo's Breach Notification Speed).

Yahoo also faces 23 putative class-action lawsuits in U.S. federal and state courts - just for the breach disclosed in September alone, according to an earnings report filed in November 2016.

Many of those cases are in early stages and have not been certified by judges or had any damages specified, thus making it difficult to estimate what costs might result, Yahoo says.

Yahoo Announces Record Year

Yahoo's problems came after what was already an unprecedented string of breach disclosures last year from web services companies, including LinkedIn, MySpace and Dropbox. Many of the breaches actually occurred several years prior to disclosure (see 'Historical Mega Breaches' Continue: Tumblr Hacked).

On Sept. 22, 2016, after several months of rumors that it had been breached, Yahoo disclosed that a suspected state-sponsored actor stole account information related to 500 million users, most likely in late 2014 (see Massive Yahoo Data Breach Shatters Records).

The data stolen included encrypted passwords, names, email, addresses, phone numbers and birth dates. The attackers also obtained security questions and answers used to reset accounts, only some of which were encrypted.

On Dec. 14, 2016, Yahoo revealed another breach dating from August 2013 that affected as many as 1 billion users, which is virtually its entire user base (see Yahoo Breach Alert: 1 Billion Accounts at Risk).

At that time, Yahoo also disclosed that an unknown number of accounts were accessed in 2015 and 2016 using forged cookies. Cookies are small data files that can enable continued access to an account for a period of time.

Long-Term Breach Risks

Acquiring Yahoo - a web darling from the 1990s whose star faded with the rise of Google and Facebook - would give Verizon a way to increase its digital advertising business. Although Yahoo remains a profitable company, it has struggled to develop new, digital products that attract new users.

From a breach-fallout perspective, the financial impact for Yahoo - and now Verizon - may be slight. Victims of Yahoo's breach didn't suffer direct financial losses because no payment-related information was compromised, and historically, most judges have dismissed breach-related lawsuits in which users could not prove financial damage.

Of course, that may be of small comfort to Yahoo's users. While the impact of having one's personal data get stolen can be hard to value, the Yahoo data that was breached could be used for identity theft or other impersonation scams. Once such personally identifiable information gets lost, furthermore, it can never be retracted, posing long-term risks especially in relation to static data, such as birth dates.

The data from Yahoo's breaches hasn't leaked publicly on wide scale. But at least one security firm, InfoArmor, believes the Yahoo data has been discreetly sold several times by a group of professional hackers in Eastern Europe that may have also been behind the breaches at LinkedIn, MySpace and Tumblr (see Yahoo Hacked by Cybercrime Gang, Security Firm Reports).

Although Yahoo attributed the 2014 breach to state-sponsored hackers, InfoArmor says that the data appears to have been stolen by mercenaries before being sold to multiple groups, one of which it believes is state-connected.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.