background image


Yahoo! Breach: The Cost of Cybercrime


In 2016, while deep in negotiations to sell itself to Verizon, Yahoo announced that it had been the victim of the largest data breach in history, after a series of digital burglaries that occurred between 2013 and 2014. The initial security breach, in 2013, compromised the real names, email address, dates of birth and telephone numbers of at least 500 million users.

In late 2014, the internet giant was further compromised by an altogether different group of hackers affecting upwards of 1 billion accounts. In addition to previously disclosed personal information, security questions and answers were also compromised.

In October of 2017, Yahoo revised their estimate, declaring that all 3 billion Yahoo user accounts had been compromised, including some linked to Russia by the FBI.

The Cost of Cybercrime

In one of the largest class action settlements, Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to approximately 200 million individuals whose email addresses and other personal information were stolen in what is currently the most extensive internet security breach in history.

According to the court filing in San Francisco, the settlement covers approximately 1 billion of those accounts held by an estimated 200 million people in the U.S. and Israel. A court hearing to approve this lawsuit will be held in California on November 29, 2018. If approved, the affected account holders will be emailed a notice outlining details regarding their suffered losses.

In addition to these losses, Yahoo will also be forced to pay $37.5 million in lawyer fees, according to the TechCrunch reports. Settlement costs will be split between Oath, the Verizon subsidiary that owns Yahoo, and Altaba, the remaining portion of Yahoo that was renamed post-sale.

Claims to a portion of the proposed $50 million will be made by account holders who suffered loss, such as delayed tax return, and/or identity theft as a direct result of the data breach. Those account holders, with eligible claims, will be compensated for time spent handling losses, at a rate of $25 per hour, or up to $375 with complete documentation. Premium account holders will also be eligible for 25% refund of paid fees.

Brand Damage, Quantified

Prior to any settlement negotiations, the breaches themselves had already cost Yahoo as it dropped its final sale price to Verizon, in 2016, by some $350 million to reflect the tarnished brand name and a host of other potential costs resulting from the breach.

The Cost of Deception

Unfortunately, the penalties resulting from Yahoo’s cybersecurity failures don’t end there. In 2016, the US Securities and Exchange Commission (SEC) reports that Altaba (remaining portion of Yahoo, renamed) has already paid a penalty fee of $35 million to settles charges resulting from failure to disclose the massive breach of December 2014 to anyone affected. Despite their awareness, Yahoo’s senior management team didn’t adequately investigate the incident or disclose details to investors and affected users until 2016, while in negotiations with Verizon.

Disclosing breaches in a timely manner is very important, both for investors and users. Historically, companies have been slow to announce security breaches, however, in light of the new regulations as seen in PIPEDA and GDPR, this delay will no longer be tolerated.

Protecting Your Organization

Though many organizations have internal Risk Management departments, the fact remains that most remain grossly unprepared and unqualified for the job. The vast majority of these organizations would greatly benefit from bringing in a third-party vendor of experts in the field of Cyber Security, namely Penetration Testers or Ethical Hackers.

Ideally, to protect your organization against hackers, you’re going to require a team of similar minds on your defensive arsenal, the best of the best.

For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.