Attacks/Breaches
1/23/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

SEC Investigates Yahoo Data Breaches

Report of an SEC probe of Yahoo serves as a new wake-up call for companies to properly disclose breaches in their earnings reports and disclosures.

The Securities and Exchange Commission (SEC) has reportedly launched an investigation to determine whether Yahoo waited too long before sharing with investors that it had been hit with two major data breaches.

Businesses are required by the SEC to report cyber-risks as soon as they are believed to affect investors. The Wall Street Journal, citing sources familiar with the matter, reports the SEC requested documents in December as part of an inquiry into whether Yahoo obeyed these laws.

Investigators are likely looking into Yahoo's 2014 data breach, which exposed the account information of 500 million users. Yahoo waited two years before disclosing the breach in September 2016, and it botched the delivery.

"They did an awful job at breach notification," says Jeff Pollard, principal analyst at Forrester, of Yahoo's public handling of the data breach. Yahoo's language and communication channels were poorly chosen, he explains, and there was little emphasis on the victims whose data was compromised.

"There was a lot of discussion about Yahoo, but not a lot of discussion about Yahoo users," Pollard notes. The disclosure of an August 2013 breach, which exposed the data of more than 1B users, was "a bit better" when Yahoo made the announcement in December 2016.

However, there is room for improvement. The results of this investigation could have long-term implications for all organizations affected by cybercrime.

"By 2016, data breaches have become common," says Pollard. "That's a sad fact, but it's also true. The bar has been raised for what a good response, and good [customer] notification, looks like."

The current SEC investigation is a signal that cybersecurity is an issue that must be discussed as businesses prepare earnings reports and disclosures, for instance. From a regulatory perspective, he continues, it's a topic nobody can avoid.

As cyber threats continue to grow, companies will be forced to think about how they're investigating data breaches and communicating their findings. Their strategies can affect both brand resilience and customer trust.

How long should companies wait before disclosing security breaches? This will be a difficult question to answer as they balance the importance of a thorough investigation with customer needs.

"It's tough to say you should notify customers quickly because you want to be as thorough as possible," says Pollard. "At the same time, you have an obligation. Once you have some degree of information that allows you to understand how customers and partners might be affected, you should notify them."

It's worth noting that Yahoo disclosed both the 2013 and 2014 data breaches after it agreed to sell core businesses to Verizon last summer, which some experts believe is part of the reason its breaches have become so highly publicized.

"Yahoo is having all this play out in the headlines because of their name and the Verizon deal," says Jonathan Sander, vice president of product strategy at Lieberman Software. "It's all too likely that any IT shop could find themselves in the same boat if they came under this level of scrutiny."

Pollard also questions whether the SEC would be digging into Yahoo's data breaches if not for the potential size of its Verizon deal. Regardless of its outcome, he says, if the legal system begins to consider cybersecurity a material matter, it will inform regulatory bodies they need to think about it as well.

Related Content

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 5:56:36 PM
Do we need a US version of GDPR?
The penalty for such breaches and lack of their disclosure for two years would be significant after May 2018 in Europe.  It is also surprising that with all that is found on the dark net companies would avoid disclosing. Or maybe they really had no idea they had been breached? We may not ever know but a fact is regulations will tighten to avoid such avoidance of disclosure.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.