What we currently know
On Monday 25th July 2016, it was announced that Yahoo was sold to US telecoms giant Verizon for $4.8bn (£3.7bn).
Around the end of July, early August 2016, “Peace” aka “Peace_of_mind” (the hacker behind the Myspace, Tumblr, Twitter and LinkedIn attacks) was allegedly selling 200 million Yahoo user details for 3 bitcoins (approximately $1,860, £1,500) on the Real Deal, a dark web marketplace.
On 9th September 2016, in a proxy filing related to the Verizon deal, Yahoo said it wasn’t aware of any “security breaches” or “loss, theft, unauthorized access or acquisition” of user data.
On Thursday 22nd September 2016, Yahoo blames “state-sponsored” hackers for what may be the largest-ever theft of personal user data. In an attack that penetrated its network in late 2014, personal data on more than 500 million users was stolen including names, email addresses, dates of birth, telephone numbers and encrypted passwords. Yahoo said it believes that the hackers are no longer in its corporate network. The company said it didn’t believe that unprotected passwords, payment-card data or bank-account information had been affected.
In a statement, Verizon said it was notified of the breach earlier this week. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact…We will evaluate as the investigation continues.”
Unfortunately this isn’t the first time it’s taken a very long time to notify users of a breach. In May 2016, Myspace notified users of a 2013 breach – perhaps not hitting the headlines as much because many people have moved on from using Myspace. However, also in May this year LinkedIn notified users that a 2012 incident, which they thought affected just 6.5 million accounts, had actually compromised more than 117 million accounts.
So what’s the big deal about this breach. Aren’t we getting numb to all the furore surrounding these increasingly common breaches. From Target to TalkTalk, the media attention and the consequent brand and reputation damage that security breaches cause have been pushing boards and companies to act. But there are three main stand outs from this breach that makes it a big deal.
1. 500 Million users affected.
It is the single largest data breach so far.
2. Claims of State-sponsored attack
Yahoo claims it was the result of a state sponsored attack during a period when many computer attacks, including that of the large American Insurance provider Anthem, were being blamed on China.
3. Verizon acquisition of Yahoo for £3.7bn
It comes less than 2 months after details of the Verizon deal has been announced.
For a company of this scale to claim they have not have noticed that they have been breached much sooner points either to shockingly poor cybersecurity or is it a case of senior figures in the company trying to hide the facts whilst in the middle of a huge takeover deal worth £3.7bn? Especially when financial figures showed Yahoo was in the mire.
“The FBI is aware of the intrusion and investigating the matter,” the Federal Bureau of Investigation said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible.”
Many of the news outlets from the BBC to the Wall Street Journal will speculate on whether the Verizon deal will carry on, and why the positions of Marissa Mayer and her board as stewards of Yahoo are still intact, but there’s the small matter of FIVE HUNDRED MILLION users being affected, all of whom have had personally identifiable information (PII) stolen including names, email addresses, dates of birth, telephone numbers and encrypted passwords.
WHEN not IF
Cyber security is all about managing risk. It’s no longer a case of ‘IF’ a company is going to be breached, but ‘WHEN’ it will be breached and how prepared that company is in reducing the time-to-identify and time-to-contain an attack. TWO years probably falls into the unacceptable range for time-to-identify especially when it impacts 500 Million users personally.
Whilst some attacks are all flash, bang and wallop such as Distributed Denial of Service (DDoS) and Ransomware, many more attacks are aimed to quietly infiltrate an organisation and quietly explore it whilst stealing data they come across whilst exploiting any security weaknesses and vulnerabilities they find once they are on the network. It’s for this reason that internal segmentation firewalls (ISFWs) have become more popular in recent years. If someone broke into your home, say through the kitchen window but found the kitchen door locked – it would be much harder for them to make their way around your home. If sensors were also on the kitchen door then an alert could be given to identify a breach had taken place. Most large organisations have dedicated Security Operations Centres (SOCs) with teams responsible for early identification of suspicious activity. They rely on an integrated set of security appliances to monitor logs and activities to identify potential breaches. However something clearly wasn’t working for Yahoo. Time and results of investigations will tell how the attackers were able to evade detection for so long, or indeed if there were bad decisions made that aimed to put the company’s deal with Verizon before the impact on the 500 million Yahoo customers.
We can help
Concerned that your organisation isn’t prepared for a breach or worried that you might have been breached? We can help. From stress testing your security strategy and working with board level and executive leaders to strengthen the Cyber Culture of your organisation, to hands on the ground support in preparing your security ecosystem and responding to incidents. Infosec Partners are proven experts in full-spectrum cybersecurity and a team you can trust.
For your free consultation, complete the adjacent form or to speak with trusted advisor immediately call us on +44 (0)1256 893662.