The ongoing saga of Yahoo’s data breach
Facts are in dispute, Yahoo’s explanations are conflicting, and Congress can’t agree what to do. This much we know: On September 22, Yahoo admitted that some 500 million accounts had been stolen by hackers, including encrypted passwords, names, phone numbers, e-mails, but not banking information. The breach actually occurred two years ago, but apparently Yahoo only discovered the theft some weeks before the public announcement. Beyond these bare details, not a lot more is known — a situation that has produced a cascade of questions and allegations.
For instance, Yahoo has not disclosed an exact timeline showing when it learned about the breach. The company stated, “We don’t know how the bad guys got in.” It has also asserted that the theft was perpetrated by a “state-sponsored actor,” though it provided no technical details to support this claim. There are both private and public implications stemming from Yahoo’s voluminous customer-data breach. In July, Verizon agreed to pay $4.8 billion for Yahoo’s core business. Thus, the timing of the subsequent hacking incident could have a direct impact on the proposed takeover — and has produced suspicions about when Yahoo learned of the huge theft.
Senator Richard Blumenthal (D., Conn.) has demanded that regulators “investigate whether Yahoo may have concealed its knowledge of this breach in order to artificially bolster its valuation in its pending acquisition by Verizon.” His suspicions no doubt deepened after learning that Yahoo had claimed in an SEC filing on September 9 that it had no knowledge of any incident that could adversely affect the sale to Verizon. In addition, a Yahoo customer has launched a lawsuit, accusing the company of “gross negligence” of customer data and seeking class-action status.
The brief suggested that Yahoo had neglected customer privacy and refused, despite warnings, to bulk up its security defenses.