What the Yahoo Data Breach May Mean for Companies
On September 22, 2016, Yahoo announced it had suffered a 2014 network breach resulting in the compromise of information of approximately 500 million Yahoo account users. Information believed to have been stolen includes names, email addresses, telephone numbers, dates of birth, and hashed passwords. It is not believed, at this time, that unprotected passwords, payment card data, or bank account information has been compromised. The exact fallout of the data breach remains uncertain; however, certain risks may be on the rise.
Yahoo initially blamed the breach on State-sponsored activity – namely Russia or China – but some critics were skeptical. A week after Yahoo's announcement, the cybersecurity firm InfoArmor cast further doubt on Yahoo’s explanation when the firm opined that the 2014 data breach was carried out by a group of professional black-hat hackers working for Eastern Europe organized crime. This same group is believed to be behind other high-profile data breaches, including those suffered by LinkedIn, MySpace, and Tumblr. InfoArmor stated that compromised information includes previously disclosed categories of information, as well as cell phone numbers and ZIP codes (when provided by the user for password recovery). The Yahoo data reportedly has been sold in private deals, one for $300,000.
The massive size of the data breach poses risks. InfoArmor’s report suggests that the data breach “may be the key in several targeted attacks against US Government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community happened in October 2015.” There are other risks.
Because many people use the same username and passwords across multiple sites, a hacker may use the hacked data in what is called "credential-stuffing." Credential-stuffing is a brute-force attack whereby attackers use stolen usernames and passwords on separate websites until they find a match using the stolen credentials. An even greater risk is phishing and other social engineering attacks on company employees by those who seek access into a company’s network. Given the quantities of data involved, that information – such as names and ZIP codes – can be culled to obtain additional information about affected users. Emails are then crafted to trick an employee into opening an infected attachment or link embedded in an email on the belief that the source of the email is trustworthy. Once the infected file is opened, the hacker is granted access into the company’s network, bypassing the company’s network security, to wreak havoc. Trojans – beware of Greeks bearing gifts!
For many companies, phishing may be the greatest risk posed by the Yahoo data breach. According to Verizon’s 2016 Data Breach Investigation Report, successful phishing attacks rose to 30% despite better employee training and overall awareness of phishing scams and their dangers. The rise in phishing scam success rates suggests that hackers are getting better in drafting emails that fool employees. Hackers’ timing is better, too. Thursday and Friday afternoons have the highest success rates for phishing attempts, and would-be hackers know this. The same Verizon report documented that the mean time from when a phishing email hits an employee’s mailbox to when the email is opened is 1 min., 40 sec. The mean time for an employee to open an infected link or file is 3 min., 45 sec. A sophisticated hacker can target a hundred different employees a hundred different ways. It takes only one mistake made in the span of a few minutes to break into your company’s system.
There are measures that a company can undertake to help protect itself, and this is where cyber counsel can add value. A company should educate and train its employees, especially given the increased rise in phishing, and confirm the types and amounts of insurance it has, including cybersecurity insurance. Company management should review security measures adopted by its IT personnel and update or improve those measures if need be. A company also should conduct a table top exercise under its cyber incident response plan. If your company does not have a response plan, prepare one! It’s critical.
The benefit of these measures is twofold. First, they may help your company prevent, or more likely, recover from a cyber incident. Resiliency to a cyber incident is a key here. The belief that your company will never suffer a cyber incident is an unreasonable one. Second, focusing on and addressing cyber risk will enable your company to demonstrate that it satisfied its ever-expanding duty of care. This latter concept is critical, especially if your company does suffer a data breach, and lawsuits and investigations by regulatory authorities follow. Thus, Yahoo’s announced data breach provides companies with a good opportunity to revisit their cybersecurity measures and better prepare for the risks that will come.
Josh Mooney is Co-Chair of the firm's Cyber Law and Data Protection Group. If you have questions or would like additional information, please contact Josh (firstname.lastname@example.org; 215.864.6345) or another member of our Group.