The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:
" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."
Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.
The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.
"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "
On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:
"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."
Senator Warner called on the SEC:
"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,
Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:
"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."
Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.
Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:
"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."
Some consumers aren't waiting for lawmakers. The Mercury News reported:
"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "
Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.