Yahoo breach: risk and insurance commentary
Written by staff reporter
Yahoo has revealed that information associated with at least 500 million user accounts was stolen in 2014 by, what is believed, a state-sponsored actor. The stolen data may include names, email addresses, telephone numbers, dates of birth and hashed passwords. Although the breach was originally reported back in July of 2012, the size of the breach apparently was incorrectly reported. In 2012, the number of potentially compromised user credentials was estimated to be around 450 thousand.
Head of cyber defence at MWR InfoSecurity, Ed Parsons, says it's too early to say who conducted the attack, and whilst nation states have good reason to collect such data, the perpetrator may not necessarily be a nation state, or even a proxy responding to direct tasking. "As there are no established norms moderating transnational data theft and acquisition, a market has emerged where states are willing, sometime openly, to pay for stolen data," he explains. "For example German authorities once paid for data stolen in Switzerland relating to alleged tax evasion. Entrepreneurial hackers may have stolen the data for onward sale to a nation state, or an organised crime group who could also use the data to commit other offences such as identify fraud.
"Any nation state with a mature signals intelligence service will be routinely and opportunistically looking to collect bulk data sets that will extend their surveillance capability overseas. Having access to reliable data that helps to identify foreign nationals and expatriates, and analyse their communications is a key strategic goal, especially when the value of one bulk dataset can be increased by 'washing' it against other data. This is arguably true of domestic agencies as their ability to seek and obtain data legally is being increasingly challenged."
UK cyber security professional at Alert Logic, Richard Cassidy, says service providers like Yahoo will always be a high-value target for hackers on the dark web. "Overall this is a considerable data breach, especially if initial reports citing circa 500million records leaked, are indeed accurate," he said, adding that the data seems already to have been monetised (in part) and distributed via various cybercriminal networks.
Security industry observers also note the potential financial and reputational impacts of this incident on the pending Verizon transaction.
"Naturally such a breach will cause concern at board level for those involved in the M&A process and eventual purchase of Yahoo; with IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability," Cassidy commented. "Furthermore, the knock on effect financially as worried shareholders seek to exit to safer stocks, will create short to medium term fiscal unrest, however, it’s how Yahoo now communicate the details of the breach, helping users (who have been identified as having had their data breached) put in place expedited account security measures, not just at Yahoo, but across all personal accounts where passwords and/or usernames may be similarly used.
Technical director at Tenable Network Security, Gavin Millard, said as attackers become more sophisticated, it is important that organisations have a rapid process for determining the impact of the breach and a robust approach in addressing the ensuing post-breach fallout. "One of the most concerning aspects of this breach is the fact that the security questions and answers were unencrypted. Most users would have used valid responses to questions like mother’s maiden name, first car, and first pet, which could lead to further exploitation and account misuse," he said.
Head of cyber risk at JLT Specialty, Sarah Stephens, said the attack highlights the increasingly pervasive nature of cyber risk, and particularly the issue of latency in discovering that an attack has occurred. "Presumably, a sophisticated and well established internet leader like Yahoo would have best in class intrusion detection and escalation capabilities, and the fact that two years have passed between this attack and their discovery should alert companies with fewer resources that they may also be missing detection of significant events," she said.
“The exposure of security questions (such as "in what city did your parents meet?") is potentially significant in this incident as well, as it means the security implications could cascade to many other websites with similar protocols. This highlights the systemic nature of incidents on this scale.
“The raft of additional expenses following a data breach, most notably for consumer notification, forensic investigation, public relations, and other crisis management expenses, highlight the need for cyber insurance. This incident has widely been reported as the latest data breach ever, so litigation and regulatory interest are sure to be a factor for Yahoo. It will be interesting to see how the financial and reputational impacts of this incident affect the pending Verizon transaction. It's also likely to underscore the importance of cyber security and incident readiness in the transactional due diligence process.
Stephens says traditional insurance products aren't likely to respond to the potentially significant incident response costs in this case, which may extend far beyond Yahoo itself. "Companies can no longer view cyber insurance as merely optional, but rather a critical weapon in their cyber risk management arsenal,” she added.