News About The Massive Data Breach At Yahoo Isn't Pretty
Wednesday, September 28, 2016
The news about Yahoo's massive data breach seems to be getting worse. The Oregonian reported:
" "Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter. A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous. Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time..."
Apply those success rates to half a billion stolen credentials and criminals have plenty of opportunities to break into consumers' online accounts. And, this list of seven ways the breach has exposed consumers to online banking fraud is definitely accurate.
The tech company's stock has dropped 4 percent since September 22. During an interview, Tim Amstrong, the head of Verizon's AOL would not comment about whether Verizon might renegotiate its $4.8 billion purchase price cash offer for Yahoo's core business. Experts have speculated about whether or not the breach might trigger the "material adverse effect" clause in the purchase transaction.
"Cybersecurity specialist Venafi conducted research into how well Yahoo reacted to the breach, in particular the cryptographic controls Yahoo still has in place, and said the results were “damning.” Researchers said Yahoo had still not “taken the action necessary to ensure they are not still exposed and that the hackers do not still have access to their systems and encrypted communications.” Furthermore Venafi warned that “Yahoo is still using cryptography (MD5) that has been known to be vulnerable for many years now.” "
On Monday, U.S. Senator Mark R. Warner (D-VA) requested that the U.S. Securities and Exchange Commission (SEC) investigate Yahoo and its executives. Senator Warner said in a statement:
"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications," wrote Sen. Warner, a former technology executive. "Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it."
Senator Warner called on the SEC:
"... to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,
Also, six U.S. Senators sent a letter on September 27 to Marissa Meyer, the Chief executive Officer at Yahoo, demanding answers about precisely how and why the massive breach went undetected for so long. The letter by Senators Richard Blumenthal (D-CT), Al Franken (D-MN), Patrick Leahy (D-VT), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), and Ron Wyden read in part:
"We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. That is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of Americans in recent years, but it is by far the largest. Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps to be taken to protect that information."
Indeed. Consumers have these reasonable and valid expectations. The letter demands that the tech company provide a briefing to the Senators' staffs with answers to a set of eight questions including a detailed timeline of events, specific systems and services affected, steps being taken to prevent a massive breach from happening again, and how it responded to any communications and warnings by government officials about state-sponsored hacking activity.
Elizabeth Denham, the Information Commissioner of the United Kingdom (UK), released a statement on September 23 demanding answers from Yahoo:
"The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be. The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today. We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected..."
Some consumers aren't waiting for lawmakers. The Mercury News reported:
"... a class-action suit accusing the Sunnyvale tech firm of putting their finances at risk and failing to notify them earlier about the breach. “While investigating another potential data breach, Yahoo uncovered this data breach, dating back to 2014,” the lawsuit, filed Thursday in U.S. District Court in San Diego, said. “Two years is unusually long period of time in which to identify a data breach.” On Friday in U.S. District Court in San Jose, a second class-action suit was filed over the hack. Plaintiff Ronald Schwartz, of New York, claims his personal information was stolen. His suit calls Yahoo’s treatment of users’ data “grossly negligent” and alleges that circumstantial evidence indicates “Yahoo insiders” knew of the breach “long before it was disclosed.” "
Reportedly, one of the plaintiffs has already experienced financial fraud as a result of identity theft from the data breach.
As catastrophic as the massive Yahoo data breach has been and is for the security of ordinary consumers and institutions and as catastrophic as it has been and is for the privacy of ordinary consumer, there is at least one good thing: It is now completely untenable, as a matter of law and logic, to maintain that the personal information that was stolen was not the intellectual property of the individual consumers who either provided it and/or authored it through their acts on the Internet. For how can it be otherwise? Surely Yahoo and all of the companies that have suffered and all of those who, by acquiring and handling our personal information, risk data breaches have not suffered and do not risk the theft of their own information, but the personal information that they would not and could not possibly have, unless customers/users either provided it to them and/or authored it by their acts on the Internet. So, as a matter of law and logic, a customers personal information must be and is his.
Yahoo and others' data breaches also make clear the implications of the foregoing patent truth that customers/users' personal information is theirs. That implication is that customers/users' personal information is their intellectual property, which as their intangible, unique expressions, once reduced to any intelligible medium, such as computer memory, is their copyrighted work.
Now, that it is clear beyond further peradventure that we, the people, own our personal information and have a copyright in it, isn't it time that courts also acknowledged this patent truth? Isn't it time for the FCC and FTC to also acknowledge and honor the same simply and obvious truth? For until the courts and government regulators do honor that patent truth, that each of us has an exclusive proprietary interest in his personal information, as his intellectual property, then all of the firms who acquire and risk our personal information for their profits will continue to do so with either impunity from civil and criminal law or will risk suffering civil and criminal sanctions that are inadequate to compensate consumers/users' for the misappropriation of their personal information, won't receive adequate compensation for any damage that they suffer as a result of the misappropriation of their personal information, and the law will not have sufficiently sever sanctions to deter the misappropriation of our personal information and/or misuse of our personal information.
Posted by: Chanson de Roland | Thursday, September 29, 2016 at 03:20 PM