Yahoo Spins A Cautionary Tale Dealing With Data Privacy

Uploaded on 2017-02-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Yahoo’s announcement that one billion customer email accounts were breached in 2013 – double that of a previously disclosed data breach incident in 2014 – seems like yet another ominous warning of a ‘dangerous and broken cyberspace’. And a big question users are asking is: why did it take so long for the Yahoo! hack to come to light?

There are a variety of reasons why it could take weeks, months, even three years to announce a major breach - even one affecting one billion email accounts. Seventy per cent of breaches take months or years to discover, according to the 2016 Data Breach Report of Verizon. Often, evidence will only come to light when investigating something else.

Penetration of systems and extraction of data are often separate events.  For example, investigations into the outages on the Ukrainian power grid in 2015 reveal that the systems were penetrated months before the attacks manifested. The intruders just sat and waited for the right time.

Yahoo! says that the attackers might have used forged cookies to access user accounts without having to login. A known feature of cybersecurity, identified by the Global Commission on Internet Governance, is that attack is easier than defence. On what is currently known, the Yahoo! attack doesn’t seem the result of a blatant security flaw– although this may change as more details are revealed.

Whether or not Yahoo! knew of the hacks before it made its announcements, the company’s vulnerability to ‘forged cookies’ may be evidence of crumbling internal security, or poor prioritization by the top team.

Yahoo! apparently failed to invest in intruder-detection mechanisms. For some time, news reports have been circulating about internal differences between its security and top management teams. The reports highlight a disconnect between two key functions within the organization, and that lack of coherence itself could create an enabling environment for security breaches.  

When a company is hacked or suffers a data breach, its response and public communications can make or break its reputation. Taking leadership over the situation and an effective communications plan can restore the shaken trust of a company’s clients and the public. Talk Talk’s disarray following a hack ensured that it was in the headlines for weeks.  In contrast, Tesco Bank had refunded customers and resumed normal service days after an ‘unprecedented’ cyber bank-robbery.

New national and international laws and regulations will compel companies to report major data breaches (for example, the EU General Protection Data Regulation to come into force in 2018). Having a well-thought out plan will not only comply with regulations, it will support (rather than hamper) criminal investigations and enable the company to show leadership during a crisis. Yet, 42 per cent of companies (opens in new window) do not have a communication plan for when a cyber-attack hits.

The reputational damage caused by a mishandling of its consequences can be more destructive than the attack itself. Yahoo!’s massive data breaches are currently being investigated by the FBI. They have led to sustained negative press coverage which in turn may lead to public scepticism of the company.  This also has the potential to jeopardize the acquisition deal by Verizon, which is now reportedly looking into either a price cut or into killing the deal altogether. This fate, for a once world-leading technology company, should be sobering for all.

Time for higher standards

But it is important to remember that in many ways, even before the Yahoo! hacks, customer emails were not necessarily as private as users may have believed.  Thanks to the terms of service of major technology providers, (opens in new window) online communications carry a far lower expectation of privacy than would be tolerable in offline equivalents. This is precisely what people ‘agree’ to when they sign up to free accounts from Yahoo!, Google and other major providers.  The business models of many technology platforms are highly exploitative: in Shoshana Zuboff’s coinage, these ‘extractive industries’ embody ‘surveillance capitalism’.

Users’ personal information is already out there, including private (even legally privileged) communications. The current so-called choice, to agree or not to participate at all, is often impractical and not a choice at all in a society that now all but requires someone to have an email address. That leaves many with little alternative but to accept the conditions of Yahoo! or another free email service. It is time for higher standards of privacy in the online environment and real, not illusory, choices about how much information users wish to share with platforms, governments and advertisers.  Respect for user privacy would also improve protections against the ever-increasing scale of hacks.

Chatham House Expert Comment

Emily Taylor
Associate Fellow, International Security

Joyce Hakmeh
Academy Fellow, International Security Department

« GCHQ Is Investing In Cybersecurity Start-Ups
Fallout In Russia : One Suspicious Death & Three Cyber Spies Arrested »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Beyond Security

Beyond Security

Beyond Security is a leader in automated vulnerability assessment and compliance solutions - enabling customers to accurately assess and manage security weaknesses in their networks and applications.

Markel International

Markel International

Markel International is an international insurance company which looks after the commercial insurance needs of businesses. Specialist services include Cyber Risk insurance.

PlaxidityX

PlaxidityX

PlaxidityX (formerly Argus Cyber Security) is a global leader in mobility cyber security, provides DevSecOps, vehicle protection and fleet protection technologies and services.

Aqua Security Software

Aqua Security Software

Aqua Security helps enterprises secure their cloud native applications from development to production, whether they run using containers, serverless, or virtual machines.

Kenna Security

Kenna Security

Kenna Security is a risk intelligence & vulnerability management platform that helps prioritize and remediate vulnerabilities.

Cyber Akademie (CAk)

Cyber Akademie (CAk)

Cyber Akademie is a training and education center providing high-quality training and information events on information security and data protection.

Wind River

Wind River

Wind River delivers the technology and expertise that enables the deployment of safe, secure, and reliable intelligent connected systems.

Sequitur Labs

Sequitur Labs

Sequitur Labs is developing seminal technologies and solutions to secure and manage connected devices of today and in the future.

Medigate

Medigate

Medigate is a dedicated medical device security platform protecting all of the connected medical devices on health care provider networks.

Austrian Trust Circle

Austrian Trust Circle

Austrian Trust Circle is an initiative of CERT.at and the Austrian Federal Chancellery and consists of Security Information Exchanges in the areas of the strategic information infrastructure.

Pentagon Group

Pentagon Group

Pentagon Group is a provider of security services in high-risk environments, remote areas and emerging markets in support of land-based, aviation, maritime and cyber operations.

CM Blockchain Security Center

CM Blockchain Security Center

We are dedicated to building a healthier blockchain ecosystem, providing solutions to security technology, and helping those who practice in the area of blockchain to get insight into industry trends.

ISA Global Cybersecurity Alliance (ISAGCA)

ISA Global Cybersecurity Alliance (ISAGCA)

Objectives of the ISA Global Cybersecurity Alliance include the acceleration and expansion of standards, certification, education programs, advocacy efforts, and thought leadership.

Blue Cedar

Blue Cedar

Blue Cedar's mobile app security integration platform secures and accelerates mobile app deployment for enterprises and government organizations around the world.

InfoLock

InfoLock

Infolock are experts in data governance, providing consulting and advisory services that help organizations effectively secure, manage, and optimize their data.

MorganFranklin Consulting

MorganFranklin Consulting

MorganFranklin Consulting is a management advisory firm that works with businesses and government to address complex and transformational technology and business objectives including cybersecurity.