On the Yahoo hack, this much we do know: On September 22, Yahoo admitted that some 500 million accounts had been stolen by hackers, including encrypted passwords, names, phone numbers, e-mails, but not banking information. The breach actually occurred two years ago, but apparently Yahoo only discovered the theft some weeks before the public announcement.
Beyond these bare details, not a lot more is known — a situation that has produced a cascade of questions and allegations. For instance, Yahoo has not disclosed an exact timeline showing when it learned about the breach. The company stated, “We don’t know how the bad guys got in.” It has also asserted that the theft was perpetrated by a “state-sponsored actor,” though it provided no technical details to support this claim.
There are both private and public implications stemming from Yahoo’s voluminous customer-data breach. In July, Verizon agreed to pay $4.8 billion for Yahoo’s core business. Thus, the timing of the subsequent hacking incident could have a direct impact on the proposed takeover — and has produced suspicions about when Yahoo learned of the huge theft. Senator Richard Blumenthal (D., Conn.) has demanded that regulators “investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”
His suspicions no doubt deepened after learning that Yahoo had claimed in an SEC filing on September 9 that it had no knowledge of any incident that could adversely affect the sale to Verizon. In addition, a Yahoo customer has launched a lawsuit, accusing the company of “gross negligence” of customer data and seeking class-action status. The brief suggested that Yahoo had neglected customer privacy and refused, despite warnings, to bulk up its security defenses. (Coincidentally, a blistering New York Times report published on September 28 chronicled the “back seat” status of Yahoo’s security team.)
Finally, in recent days, an information-security firm, InfoArmor, has published strong evidence that Yahoo’s data breach was not done by a state-sponsored group but rather by private hackers (it calls them Group E) who are selling Yahoo customer data to other criminal groups (and in one instance to a state-sponsored group). InfoArmor claims that it has been tracking Group E for three years, as it has been selling purloined data for substantial sums. InfoArmor’s forensic digging has led cybersecurity expert Bruce Schneier to charge that Yahoo’s state-sponsored-culprit claim is “code for ‘please don’t blame us for shoddy security because it was a really sophisticated attacker and we can’t be expected to defend ourselves against that.’”
All of this has produced the usual high dudgeon among members of Congress — and a cacophony of opinions, numerous proposals, and no agreement on a specific legislative solution. These include a joint proposal from Senators Tom Carper (D., Del.) and Roy Blunt (R., Mo.), supported by the financial-services industry; another data-breach draft bill from Senator Mark Warner (D., Va.); and further legislation sponsored by ranking Commerce Committee member Senator Patrick Leahy (D., Vt.) and several other Democratic senators that is supported by many privacy and consumer-advocacy groups.
All of the various bills would set a national standard for security protections and would dictate disclosures for breaches.
All of the various bills would set a national standard for security protections and would dictate disclosures for breaches. But there is great disagreement over details: For instance, the financial-services industries want retailers to be held to the same disclosure standards as the ones they must abide by, while retailers resist these changes; consumer groups are fearful that a weak federal standard could preempt stronger state data-security laws. The bottom line: Almost certainly the differences will not be hashed out in the present Congress or in the upcoming lame-duck session. Legislative action must await the next Congress in 2017.
But this does not mean that Yahoo is off the hook. Senator Warner has asked the Securities and Exchange Commission to investigate whether Yahoo’s senior executives improperly failed to disclose the 500-million-customer breach in timely fashion. The issue may become a test case for the SEC, which way back in 2011 issued a “guidance” to companies mandating that they notify the agency if a breach occurred that could have a “material adverse effect on the business.” According to critics, the SEC has not followed up on the guidance, having failed to act against a single company for non-disclosure of a cyber incident.
But even within the Obama administration, there is no consensus about what action the government should take against recalcitrant companies. Recently, Secretary of Commerce Penny Pritzker warned against the unintended consequences of a harsh crackdown for non-disclosure. She raised the fear that strict rules on disclosure could deter companies from cooperating with the government. She stated: “We cannot blame executives from worrying that what starts today as an honest conversation about a cyberattack could end tomorrow in a ‘punish the victim’ regulatory enforcement action.”
And finally, to add one more complication, it has just been disclosed that Yahoo agreed to create a program to scan users’ e-mails at the request of U.S. intelligence officials. In protest, the company’s chief information-security officer resigned, and a tech-savvy congressman, Representative Ted Lieu (D., Calif.), labeled the action “big brother on steroids.” It is hard to know how such unprecedented aid to U.S. intelligence efforts will balance out against the lack of due diligence to protect 500 million accounts against hack attacks.
At this point, all one can say is “Stay tuned.” Who knows, the government may get its act together some day.