Friday, December 16, 2016
The newly disclosed intrusion occurred one year before a 2014 hack that was reported in September 2016 and affected an estimated 500 million account holders. These two breaches are the largest ever recorded, security analysts stated. Forensic experts and government agencies are reviewing both incidents in separate investigations.
According to Yahoo, the 2013 attack occurred outside the cardholder data environment. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," Yahoo representatives stated. "Stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers."
Yahoo previously reported that the 2014 breach likely used manufactured web cookies to falsify login credentials, which gave hackers the ability to access any account without a password.
Yahoo has been criticized for its late disclosure of the data breaches as well as for lax security measures. The company is facing several lawsuits and a congressional investigation stemming from these events. The intrusions may have also put into question Verizon Communications Inc. plans to acquire Yahoo for approximately $4.8 billion.
In the wake of the latest disclosure, Yahoo required all of its customers to reset their passwords; it also invalidated unencrypted security questions. After disclosing the first breach, the company reportedly recommended, but did not require, a password reset. Some analysts compared these remedial measures to closing the barn door after the cows are already out and suggested Yahoo needs a complete infrastructure overhaul.
Laura Martin, Senior Analyst at Needham & Co. called Yahoo's security measures inadequate. "It sounds to me like they never knew about any of these breaches, which means they never fixed the problem," she said. "That implies that the assets are actually less valuable than we thought."
Some financial analysts suggested ongoing merger talks with Verizon Communications Inc. could be disrupting Yahoo's remediation process. Others predicted news of the second, larger breach would extinguish Verizon's desire for the deal. Representatives from both companies, however, affirmed their commitment to the merger, which is expected to close in the first quarter of 2017.
"Litigation and other problems will stem from Yahoo's data breach, and Verizon needs to assess the potential financial hit from those headaches and whether they hurt Yahoo's already shaky financial results," wrote Bloomberg Analysts Shira Ovide. "Odds are that Verizon will proceed with its Yahoo deal, but under the circumstances it is justified in seeking a [cyber-uncertainty] discount on the toy it plucked from the remainders bin."
Security is a core value at Verizon. The company has worked with government and private sector agencies, publishing its findings in a series of annual reports. The Verizon 2015 PCI Compliance Report reviews the Payment Card Industry Data Security Standard (PCI DSS), examining the Standard's 12 requirements: maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems, and maintaining security policies.
Verizon's 2016 Data Breach Investigations Report (DBIR) analyzed over 100,000 incidents that occurred in 2015, including 3,141 confirmed data breaches. The company cited phishing as a dominant cyberattack method, proposing spam protection, list blocking, email header/attachment/URL analysis and reporting suspicious emails as multi-layered protections against phishing scams. The DBIR advised companies to authenticate, segment and monitor all devices, apps and personnel connected to their networks.
Verizon's risk managers routinely investigate data security incidents on behalf of organizations and government agencies. In 2015, the company analyzed more than 500 cybersecurity events in more than 40 countries. Details of the data breaches are published in the Verizon Data Breach Digest on Verizon's website. The objective is to educate the public about emerging threats, including attack trends, methodologies, types of data and targeted individuals and industries.
The digest provides a timeline of each event, including events leading up to breaches, details of investigations and the how the company helped organizations recover. "We also rank each of the 18 types of attack, explain who's at risk, and describe what steps you can take to better protect your organization," the authors wrote.
Yahoo stated it has more than 1 billion users worldwide, though the company's fortunes have been sagging for years as other tech companies have snatched away pieces of its search, email and other web-based businesses.
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
