The Great Yahoo Data Breach: 6 Steps to Reducing Risk
There are many lessons from the Great Yahoo Data Breach, including six steps your enterprise should take to minimize risks or respond when a breach is identified.
- By Brian J. Dooley
- October 10, 2016
The story of the Great Yahoo Data Breach continues to unfold. Information remains somewhat scant, as has become the tradition in reporting large, successful data hacks by unknown individuals or organizations. The items stolen were not of an absolutely critical nature—names, contact details, email addresses, hashed passwords, and personal information—but this is data that could be used for further attacks or identity theft, particularly on the unwary.
Many, if not most, people will respond to some form of phishing attack at some time. With half a billion individuals, it would not be difficult to find thousands of instances where a more serious exploit could be established against financial information or to provide an entry past corporate firewalls. With this in mind, it is imperative that individuals know what happened as soon as possible so they can protect themselves, right?
Alas, no such protection was undertaken. The actual incident occurred two years ago, in 2014, and was only admitted by the company after data on 200 million individuals was made available on the Dark Web. At the same time, Yahoo was on the point of being purchased by Verizon, raising the tricky question of whether such a major data breach required greater attention in determining the company's value.
This is a particularly egregious incident, but it is not the first; neither is it the first one to be handled poorly. Adding to the potential ramifications of the breach itself are the risks that weigh on the late and insufficient announcement, making victims into potential litigators and opening issues of transparency and valuation with Verizon.
Legal firms are already looking at the implications. According to Robert Cattanach, a partner at the international law firm Dorsey & Whitney, "One would expect regulators to launch an exhaustive investigation into the cause of the breach and Yahoo's failure to detect it once it occurred, with enforcement action almost a certainty. As for the average consumer, there may not be much of a remedy. Yahoo has yet to offer any identity theft or credit monitoring commitments, and absent some demonstrated actual harm occurring in some similar way to Yahoo's customers, class action relief may be hard to come by."
This is not to say that people won't be trying. There are already several class action suits in preparation. At the very least, there will be extremely costly litigation; at worst, there could be huge fines, loss of business, failure of the Verizon deal, and very expensive customer compensation.
For cyberscurity and investment experts, it's a complex affair. "Welcome to the world of the half-a-billion-account hacks," says Mr. Edgar Perez, author of The Speed Traders and Knightmare on Wall Street.
"Yahoo is already notifying potentially affected users and has taken steps to secure their accounts. All users should change their passwords immediately; furthermore, millions of them have provided Yahoo with backup email addresses, which probably have the same passwords as their main account. These passwords have to be changed as well. Hackers also try the email-password combination across other platforms to see which ones work; therefore, users are encouraged to change these passwords as well."
Is Encryption Enough?
What do enterprises need to do to ensure it doesn't happen to them? Yahoo passwords themselves were encrypted with bcrypt hashing, but the rest of the data was apparently unencrypted. This is fairly common for a large database such as Yahoo's, but the data was likely not considered all that critical. Protection of such data is often minimal, and there have been many breaches.
A similar case is the 2013 MySpace breach of data on 360 million users, which was not discovered until 2016 -- three years later. This was also by the hacker known as "Peace" who was also offering 200 million Yahoo data sets that might have come from the recently revealed incursion. LinkedIn and Ebay also suffered data breaches affecting in excess of 150 million users each.
Password encryption is the minimum protection users should expect. The Personally Identifiable Information (PII) contained in these databases is itself valuable for enabling further attacks both within the hacked company and with any other online account susceptible to simple verifications based on secret questions. The data could also be used with any number of vectors that might be accessed through phishing from apparently trusted realms.
The risks from these incidents are continuing to grow, and legislators have been moving toward regulations and restrictions, such as a requiring early notification of affected users. The courts will likely be less tolerant of casual security approaches, and attitudes are shifting. Yahoo claimed this was a "state sponsored" entity, which has been disputed, but there are large, organized actors attempting to use data for very sophisticated exploits that can be helped by analytics and big data. Companies need to harden their approach and ensure that they have a fully functional response center. Just as it has been said that the user is the new enterprise perimeter, perhaps the individual consumer's PII is the new perimeter of data risk.
Encryption is a key tool in ensuring that data can be protected. According to Zulfikar Ramzan, CTO of DELL/EMC security group RSA, "Encryption is a fundamentally important tool for mitigating the negative impact of a breach. Organizations should try to use encryption for their most important information assets."
However, encryption is not a panacea. "In some cases, it might not be possible to easily encrypt data because that data actively being examined. Also, encryption does not necessarily allow organizations to avoid breaches; rather, it mitigates the downstream damage."
Building a Comprehensive Strategy
Encryption is only part of a much broader solution, notes Ramzon. "A comprehensive security strategy should employ a wide variety of capabilities for protecting themselves, ranging from identity and access management to pervasive monitoring of their most critical assets. Ultimately, today's world dictates that security must be business driven. In other words, security measures have to be aligned around specific business objectives, and the impact each measure has to business objectives must be clear."
What can you do? Be prepared, and expect the worst. Also:
- Don't get hacked; this is obvious, of course, but it's important to review security measures in a changing environment
- Make it difficult to use any acquired data by encrypting it
- Use multi-step verification for identifiable data
- Let affected users and customers know of a release of their information ASAP
- Ensure that information about serious breaches is available to investors
- Never assume the seemingly trivial information is valueless and without risk
Every enterprise will have different requirements, but Yahoo's breach is a wake-up call. The peril will only increase as data sets get larger and the ability to analyze them and automate attacks continues to evolve.