02:40 PM
Connect Directly

SEC Investigates Yahoo Data Breaches

Report of an SEC probe of Yahoo serves as a new wake-up call for companies to properly disclose breaches in their earnings reports and disclosures.

The Securities and Exchange Commission (SEC) has reportedly launched an investigation to determine whether Yahoo waited too long before sharing with investors that it had been hit with two major data breaches.

Businesses are required by the SEC to report cyber-risks as soon as they are believed to affect investors. The Wall Street Journal, citing sources familiar with the matter, reports the SEC requested documents in December as part of an inquiry into whether Yahoo obeyed these laws.

Investigators are likely looking into Yahoo's 2014 data breach, which exposed the account information of 500 million users. Yahoo waited two years before disclosing the breach in September 2016, and it botched the delivery.

"They did an awful job at breach notification," says Jeff Pollard, principal analyst at Forrester, of Yahoo's public handling of the data breach. Yahoo's language and communication channels were poorly chosen, he explains, and there was little emphasis on the victims whose data was compromised.

"There was a lot of discussion about Yahoo, but not a lot of discussion about Yahoo users," Pollard notes. The disclosure of an August 2013 breach, which exposed the data of more than 1B users, was "a bit better" when Yahoo made the announcement in December 2016.

However, there is room for improvement. The results of this investigation could have long-term implications for all organizations affected by cybercrime.

"By 2016, data breaches have become common," says Pollard. "That's a sad fact, but it's also true. The bar has been raised for what a good response, and good [customer] notification, looks like."

The current SEC investigation is a signal that cybersecurity is an issue that must be discussed as businesses prepare earnings reports and disclosures, for instance. From a regulatory perspective, he continues, it's a topic nobody can avoid.

As cyber threats continue to grow, companies will be forced to think about how they're investigating data breaches and communicating their findings. Their strategies can affect both brand resilience and customer trust.

How long should companies wait before disclosing security breaches? This will be a difficult question to answer as they balance the importance of a thorough investigation with customer needs.

"It's tough to say you should notify customers quickly because you want to be as thorough as possible," says Pollard. "At the same time, you have an obligation. Once you have some degree of information that allows you to understand how customers and partners might be affected, you should notify them."

It's worth noting that Yahoo disclosed both the 2013 and 2014 data breaches after it agreed to sell core businesses to Verizon last summer, which some experts believe is part of the reason its breaches have become so highly publicized.

"Yahoo is having all this play out in the headlines because of their name and the Verizon deal," says Jonathan Sander, vice president of product strategy at Lieberman Software. "It's all too likely that any IT shop could find themselves in the same boat if they came under this level of scrutiny."

Pollard also questions whether the SEC would be digging into Yahoo's data breaches if not for the potential size of its Verizon deal. Regardless of its outcome, he says, if the legal system begins to consider cybersecurity a material matter, it will inform regulatory bodies they need to think about it as well.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/26/2017 | 5:56:36 PM
Do we need a US version of GDPR?
The penalty for such breaches and lack of their disclosure for two years would be significant after May 2018 in Europe.  It is also surprising that with all that is found on the dark net companies would avoid disclosing. Or maybe they really had no idea they had been breached? We may not ever know but a fact is regulations will tighten to avoid such avoidance of disclosure.
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.