Attacks/Breaches

1/23/2017
02:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

SEC Investigates Yahoo Data Breaches

Report of an SEC probe of Yahoo serves as a new wake-up call for companies to properly disclose breaches in their earnings reports and disclosures.

The Securities and Exchange Commission (SEC) has reportedly launched an investigation to determine whether Yahoo waited too long before sharing with investors that it had been hit with two major data breaches.

Businesses are required by the SEC to report cyber-risks as soon as they are believed to affect investors. The Wall Street Journal, citing sources familiar with the matter, reports the SEC requested documents in December as part of an inquiry into whether Yahoo obeyed these laws.

Investigators are likely looking into Yahoo's 2014 data breach, which exposed the account information of 500 million users. Yahoo waited two years before disclosing the breach in September 2016, and it botched the delivery.

"They did an awful job at breach notification," says Jeff Pollard, principal analyst at Forrester, of Yahoo's public handling of the data breach. Yahoo's language and communication channels were poorly chosen, he explains, and there was little emphasis on the victims whose data was compromised.

"There was a lot of discussion about Yahoo, but not a lot of discussion about Yahoo users," Pollard notes. The disclosure of an August 2013 breach, which exposed the data of more than 1B users, was "a bit better" when Yahoo made the announcement in December 2016.

However, there is room for improvement. The results of this investigation could have long-term implications for all organizations affected by cybercrime.

"By 2016, data breaches have become common," says Pollard. "That's a sad fact, but it's also true. The bar has been raised for what a good response, and good [customer] notification, looks like."

The current SEC investigation is a signal that cybersecurity is an issue that must be discussed as businesses prepare earnings reports and disclosures, for instance. From a regulatory perspective, he continues, it's a topic nobody can avoid.

As cyber threats continue to grow, companies will be forced to think about how they're investigating data breaches and communicating their findings. Their strategies can affect both brand resilience and customer trust.

How long should companies wait before disclosing security breaches? This will be a difficult question to answer as they balance the importance of a thorough investigation with customer needs.

"It's tough to say you should notify customers quickly because you want to be as thorough as possible," says Pollard. "At the same time, you have an obligation. Once you have some degree of information that allows you to understand how customers and partners might be affected, you should notify them."

It's worth noting that Yahoo disclosed both the 2013 and 2014 data breaches after it agreed to sell core businesses to Verizon last summer, which some experts believe is part of the reason its breaches have become so highly publicized.

"Yahoo is having all this play out in the headlines because of their name and the Verizon deal," says Jonathan Sander, vice president of product strategy at Lieberman Software. "It's all too likely that any IT shop could find themselves in the same boat if they came under this level of scrutiny."

Pollard also questions whether the SEC would be digging into Yahoo's data breaches if not for the potential size of its Verizon deal. Regardless of its outcome, he says, if the legal system begins to consider cybersecurity a material matter, it will inform regulatory bodies they need to think about it as well.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/26/2017 | 5:56:36 PM
Do we need a US version of GDPR?
The penalty for such breaches and lack of their disclosure for two years would be significant after May 2018 in Europe.  It is also surprising that with all that is found on the dark net companies would avoid disclosing. Or maybe they really had no idea they had been breached? We may not ever know but a fact is regulations will tighten to avoid such avoidance of disclosure.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14332
PUBLISHED: 2018-07-19
An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe is vulnerable to a user mode write access violation due to a NULL pointer dereference in the Init call in the MoodbarPipeline::NewPadCallback function in moodbar/moodbarpipeline.cpp. The vulnerability is triggered when the user...
CVE-2018-1529
PUBLISHED: 2018-07-19
IBM Rational DOORS Next Generation 5.0 through 5.0.2, 6.0 through 6.0.5 and IBM Rational Requirements Composer 5.0 through 5.0.2 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potential...
CVE-2018-1535
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...
CVE-2018-1536
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...
CVE-2018-1585
PUBLISHED: 2018-07-19
IBM Rational Rhapsody Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 and IBM Rational Software Architect Design Manager 5.0 through 5.0.2 and 6.0 through 6.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri...