Law & the Courts

The Ongoing Saga of Yahoo’s Stolen Data

(Dreamstime image: Maxkabakov)
Facts are in dispute, Yahoo’s explanations are conflicting, and Congress can’t agree what to do.

On the Yahoo hack, this much we do know: On September 22, Yahoo admitted that some 500 million accounts had been stolen by hackers, including encrypted passwords, names, phone numbers, e-mails, but not banking information. The breach actually occurred two years ago, but apparently Yahoo only discovered the theft some weeks before the public announcement.

Beyond these bare details, not a lot more is known — a situation that has produced a cascade of questions and allegations. For instance, Yahoo has not disclosed an exact timeline showing when it learned about the breach. The company stated, “We don’t know how the bad guys got in.” It has also asserted that the theft was perpetrated by a “state-sponsored actor,” though it provided no technical details to support this claim.

There are both private and public implications stemming from Yahoo’s voluminous customer-data breach. In July, Verizon agreed to pay $4.8 billion for Yahoo’s core business. Thus, the timing of the subsequent hacking incident could have a direct impact on the proposed takeover — and has produced suspicions about when Yahoo learned of the huge theft. Senator Richard Blumenthal (D., Conn.) has demanded that regulators “investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.”

His suspicions no doubt deepened after learning that Yahoo had claimed in an SEC filing on September 9 that it had no knowledge of any incident that could adversely affect the sale to Verizon. In addition, a Yahoo customer has launched a lawsuit, accusing the company of “gross negligence” of customer data and seeking class-action status. The brief suggested that Yahoo had neglected customer privacy and refused, despite warnings, to bulk up its security defenses. (Coincidentally, a blistering New York Times report published on September 28 chronicled the “back seat” status of Yahoo’s security team.)

RELATED: Wanted: A Real National Cyber Action Plan

Finally, in recent days, an information-security firm, InfoArmor, has published strong evidence that Yahoo’s data breach was not done by a state-sponsored group but rather by private hackers (it calls them Group E) who are selling Yahoo customer data to other criminal groups (and in one instance to a state-sponsored group). InfoArmor claims that it has been tracking Group E for three years, as it has been selling purloined data for substantial sums. InfoArmor’s forensic digging has led cybersecurity expert Bruce Schneier to charge that Yahoo’s state-sponsored-culprit claim is “code for ‘please don’t blame us for shoddy security because it was a really sophisticated attacker and we can’t be expected to defend ourselves against that.’”

All of this has produced the usual high dudgeon among members of Congress — and a cacophony of opinions, numerous proposals, and no agreement on a specific legislative solution. These include a joint proposal from Senators Tom Carper (D., Del.) and Roy Blunt (R., Mo.), supported by the financial-services industry; another data-breach draft bill from Senator Mark Warner (D., Va.); and further legislation sponsored by ranking Commerce Committee member Senator Patrick Leahy (D., Vt.) and several other Democratic senators that is supported by many privacy and consumer-advocacy groups.

All of the various bills would set a national standard for security protections and would dictate disclosures for breaches.

All of the various bills would set a national standard for security protections and would dictate disclosures for breaches. But there is great disagreement over details: For instance, the financial-services industries want retailers to be held to the same disclosure standards as the ones they must abide by, while retailers resist these changes; consumer groups are fearful that a weak federal standard could preempt stronger state data-security laws. The bottom line: Almost certainly the differences will not be hashed out in the present Congress or in the upcoming lame-duck session. Legislative action must await the next Congress in 2017.

But this does not mean that Yahoo is off the hook. Senator Warner has asked the Securities and Exchange Commission to investigate whether Yahoo’s senior executives improperly failed to disclose the 500-million-customer breach in timely fashion. The issue may become a test case for the SEC, which way back in 2011 issued a “guidance” to companies mandating that they notify the agency if a breach occurred that could have a “material adverse effect on the business.” According to critics, the SEC has not followed up on the guidance, having failed to act against a single company for non-disclosure of a cyber incident.

RELATED: The Destructive Threat of Cyber Warfare

But even within the Obama administration, there is no consensus about what action the government should take against recalcitrant companies. Recently, Secretary of Commerce Penny Pritzker warned against the unintended consequences of a harsh crackdown for non-disclosure. She raised the fear that strict rules on disclosure could deter companies from cooperating with the government. She stated: “We cannot blame executives from worrying that what starts today as an honest conversation about a cyberattack could end tomorrow in a ‘punish the victim’ regulatory enforcement action.”

And finally, to add one more complication, it has just been disclosed that Yahoo agreed to create a program to scan users’ e-mails at the request of U.S. intelligence officials. In protest, the company’s chief information-security officer resigned, and a tech-savvy congressman, Representative Ted Lieu (D., Calif.), labeled the action “big brother on steroids.” It is hard to know how such unprecedented aid to U.S. intelligence efforts will balance out against the lack of due diligence to protect 500 million accounts against hack attacks.

At this point, all one can say is “Stay tuned.” Who knows, the government may get its act together some day.

Most Popular

World

Trump’s Disgraceful Press Conference in Helsinki

On Monday, President Trump gave a deeply disgraceful press conference with Russian dictator Vladimir Putin. The presser began with Trump announcing that although the Russia–U.S. relationship has “never been worse than it is now,” all of that “changed as of about four hours ago.” It was downhill from ... Read More
Culture

Questions for Al Franken

1)Al, as you were posting on social media a list of proposed questions for Supreme Court nominee Brett Kavanaugh, did it occur to you that your opinion on the matter is no more relevant than Harvey Weinstein’s? 2) Al, is it appropriate for a disgraced former U.S. senator to use the Twitter cognomen “U.S. ... Read More
White House

The President’s Do-Over

I agree with Jonah on all counts: On net, President Trump’s do-over of his Helsinki remarks is a good thing; regrettably, it is not sincere; and while I hope the revised version is the one he sticks to, I don’t have confidence that will be the case -- as posited in my column Tuesday on the folly of having the ... Read More
National Security & Defense

Trump’s Helsinki Discord

Donald Trump is not, and never will be, the Moscow correspondent for The Nation magazine, and he shouldn’t sound like it. The left-wing publication is prone to extend sympathetic understanding to adversaries of the United States and find some reason, any reason, to blame ourselves for their external ... Read More