Data Security and Privacy Alert: Yahoo!’s Data Breach Incidents are Becoming an Extended Tale of Woe for the Company
March 10, 2017
Yahoo’s handling of the disclosure of multiple separate data breach incidents is causing waves of consequences to the company and is a cautionary story for other companies who may find themselves responding to large-scale information security failures.
Yahoo belatedly reported in September 2016 that a breach of its systems occurred in 2014 and that over 500 million user accounts were affected. Intruders captured user’s names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords. Then in December of 2016, Yahoo disclosed that a prior breach had occurred in 2013 affecting over 1 billion user accounts and compromising the same types of information. And most recently, on March 4, 2017, Yahoo disclosed a third breach affecting 32 million user accounts which hackers accessed by using forged cookies.
Although the timeline of Yahoo’s response to the incidents is under investigation by several authorities, including the U.S. Senate, Yahoo has yet to offer a meaningful explanation as to why the company took so long to disclose the incidents publicly. Yahoo says it didn’t know about the 2013 breach until it was approached by law enforcement in Nov. 2016, but the company learned about the 2014 incident the same year it happened, leading to questions about why the breach wasn’t announced until two years later.
The fallout has been severe. Yahoo’s general counsel was forced to resign earlier this month and its CEO was docked millions in bonus payments. The company was in negotiations to be acquired by Verizon but was forced to reduce its sale price by $350 million as because of the incidents and the delay in disclosure. Now a shareholder has brought a lawsuit against Yahoo over the Verizon sale price reduction. More shareholder suits are likely to follow, and regulatory enforcement actions as well as private consumer class actions are highly probable.
The lesson here is clear: Securing consumer data is critically important, but at least as important is the handling of incidents if and when they occur. Anything less than prompt disclosure is likely to lead to an avalanche of consequences to companies.
This Data Security & Privacy Alert is intended to keep readers current on developments in the data security & privacy world and in the law, and is not intended to be legal advice. If you have any questions, please call Sandy B. Garfinkel, Chair of the firm’s Data Security & Privacy Group, at 412‐566‐6868.