Case study

There seems to be a cybersecurity headline once a week about at least one company or government agency being hacked or reporting some type of breach. Yahoo Wins the Gold and Silver Medal for the Worst Hacks in History! It wasn't until Fall 2016 that Yahoo alerted its users and the public to the first of two of the largest known breaches of user information in history that had occurred 2-3 years earlier. On September 22, 2016, Yahoo publicly disclosed that over 1 billion Yahoo account records were stolen in mid-2013. A second news release on December 15, 2016, revealed a second attack that occurred in 2014 when the account information of over 500 million Yahoo account holders was breached. The delay in reporting is partly due to the fact that Yahoo itself did not know of the breach until shortly before releasing these statements to the public. The information leaked in the attacks included e-mail accounts, telephone numbers, street addresses, unencrypted security questions and answers, but no financial information. To add insult to injury, at the time of the first news release, Yahoo was in negotiations with megacorporation Verizon to acquire Yahoo for $4.83 billion. After the first news release, Verizon said that the announcement could have a negative impact on their purchasing decision. The second news release caused Verizon to further review the financial implications of the two breaches and reduce its offer by $350 million. The 2013 breach was conducted by an unknown unauthorized third party. The information stolen in the 2014 attack was sold by a "state-sponsored actor" on the Dark Web for 3 Bitcoins (approx. $1,900). The actor, who used the name "Peace" is of Russian origin and attempted to sell data from 200 million Yahoo users online. Yahoo urged all of its users to change their passwords and security questions and to review their accounts for suspicious activity. To date, little information has been released on the 2013 breach, but more is known about the incident that occurred in 2014. How the Second Attack was Carried Out The data theft was similar to the way in which a typical online attack of a database is carried out. The protections used for database containing the login and personal information were insufficient to protect against the advanced methods used by the hackers. In this case, the encryption method employed in the database was broken by the hacker. Additionally, cybercrime analyst Vitali Kremez maintains that the hacker stole the information from Yahoo slowly and methodically so as to not draw attention to the breach taking place. Since the breach was not immediately detected, the hacker had plenty of time to leverage the information in a financially, personal, or politically beneficial manner. It is not clear if the seller is the original hacker. Impact of the Data Breach Since the breaches were so devastating and far reaching to most of Yahoo customer base, Verizon is having second thoughts about the acquisition. Craig Silliman, general counsel to Verizon, said Verizon has "a reasonable basis" to believe that the data breach will have a significant impact on the deal proceedings and the likelihood that it will actually happen (Fiegerman, 2016). He furthers to explain that Yahoo will have to convince Verizon that the breach will not affect future processes in the company and that more security features have been and will be implemented. Also, the incidents could make the Yahoo deal worth about $200 million less than the $4.8 billion initially settled upon. In addition to the decreased value of Yahoo's core assets, the company's stock fell about 2% after the comments by Craig Silliman. Justice is Served On March 17, 2017, the U.S. Department of Justice indicted two Russian Intelligence agents and two state-sponsored hackers, Alexsey Belan and Karim Baratov, for the theft of the Yahoo user data in 2014. Belan, one of the FBI's most notorious criminal hackers, had been previously indicted in two other cases. In the indictments it was revealed that the targets of the theft included Russian journalists, U.S. and Russian government officials, military personnel, and private-sector employees of financial, transportation, and other companies (Balakrishnan, 2017). The obvious issue surrounding the Yahoo data breaches is Internet security. Simple username, password, and security questions simply are not enough to keep hackers at bay. UC Davis professor Hemant Bhargava notes that two-factor authentication (TFA) is successful in many other companies and that Yahoo should follow suit (Matwyshyn & Bhargava, 2016). An example of TFA would be that a user is asked to enter information such as username and password, then a mobile app generates and sends a random number code for the user to enter before being granted access to his or her account. Both the Yahoo account and the mobile app are linked to a common, secure account. This method is exceptionally popular and useful since over 50% of Web users access the Web through their mobile phones.

questions

Why do you think Yahoo was targeted for these data breaches?

Why did Yahoo keep the breaches from the public eye?

How did their non-disclosure affect Yahoo's relationship with its customers and partners?

In addition to the data theft, what else was damaged by this incident?

. Explain whether these cybersecurity incidents were foreseeable.

Also explain whether they were avoidable.