- REUTERS/Elijah Nouvelage
Yahoo is having a rough week, and it’s not getting much better, since the company is refusing to answer the most important question about its massive hack.
The company revealed on September 22 that it had been hacked by what it said it believed was a “state-sponsored actor” that stole information for at least 500 million accounts.
This week, it’s still investigating the breach along with the FBI. Meanwhile, it’s now the subject of at least three proposed class-action lawsuits, and US senators are asking the company to explain itself and the Securities and Exchange Commission to investigate.
The onslaught of negative attention comes at a particularly bad time for Yahoo, which is currently working on its sale to Verizon after it agreed in July to purchase Yahoo for $4.8 billion.
Sen. Al Franken (D-Minnesota) and his colleagues wrote in a letter to Yahoo CEO Marissa Mayer: “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”
The most pressing question asked in the letter is: When and how did Yahoo first learn that it had been breached? Franken asked the company to provide a timeline.
A Yahoo spokesperson told Business Insider the company had “received the letter and will work to respond in a timely and appropriate manner.”
On Monday, Sen. Mark Warner (D-Virginia) sent a letter to SEC Chairwoman Mary Jo White urging the agency to open an investigation to see whether Yahoo had “made complete and accurate representations” about its security.
Judy Burns, a spokeswoman for the SEC, declined to comment on Warner’s letter or whether it would be investigating Yahoo.
Meanwhile, a Los Angeles man has filed a proposed class-action lawsuit against Yahoo that alleges negligence, breach of contract, and violations of California’s state civil and business codes. Two other suits filed in San Francisco are also seeking class-action status.
Besides its potential legal troubles, Yahoo could also lose customers over the breach.
Why it matters when the hack happened
- Lara O’Reilly/BusinessInsider
So far, Yahoo has not said when it found it had been hacked, but that question is central to what happens next.
That’s because Yahoo filed documents with the SEC on September 9 indicating there had “not been any incidents” of security breaches that could have an adverse affect on its business.
If it knew it had been hacked before that filing, the agency could rake the company over the coals over a lack of disclosure.
And if knowledge of the hack goes back even further than that – like before July, when Verizon agreed to buy Yahoo – the $4.8 billion deal could be in jeopardy.
On Wednesday morning, Business Insider asked Yahoo when it learned it had been hacked. As with previous inquiries, Yahoo declined to provide a date and said, “Our investigation into this matter is ongoing and the issues are complex.”
A person familiar with the matter told Business Insider the company initiated an investigation after apparent credentials from Yahoo customers appeared on the dark web in August, but it later found that the data being sold was not legitimate.
But during a deeper look into its networks, Yahoo found the much larger breach of at least 500 million user accounts.
This person said Yahoo had “a high degree of confidence” the theft was carried out by a state-sponsored actor, which has still not been named, and occurred sometime in 2014.
Some insiders say Yahoo didn’t take security seriously
- Thomson Reuters
In the wake of the event, insiders have come forward to criticize Yahoo’s stance on security over the last few years.
Although its security team worked to mitigate potential threats, six current and former Yahoo employees told The New York Times on Wednesday that security took a backseat at the company, often because Mayer worried that enhanced security features could cause users to stop using its services.
The latest breach was one of “a number of previous incidents that were not managed swiftly” by Mayer, according to internal sources who spoke with Recode.
These arguments over security may also explain Yahoo’s unusually high turnover in its chief information security officer role.
Its first CISO, Justin Somaini, joined the company in 2011 and stayed until January 2013, leaving in part because he was “unhappy with the new regime” of Mayer, according to a report from All Things Digital. After his departure, the company didn’t have a full-time CISO until March 2014, when Alex Stamos was hired.
One executive told Recode that Stamos tried unsuccessfully to have top management respond more strongly to such security incidents.
But Stamos and Mayer repeatedly clashed, according to the sources who spoke with The Times. Its report said Meyer “denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems.”
Stamos left for Facebook a little over a year later. His interim replacement, Ramses Martinez, moved to Apple only about a month after being put in the role. Yahoo’s current CISO, Bob Lord, has been on the job for 11 months.
Yahoo declined to answer specific questions from Business Insider, but provided this statement in regard to its security practices:
“Over the course of our more than 20-year history, Yahoo’s executive management and entire team have focused on and invested in security programs and talent to protect our users. For example, we invested more than $10 million to encrypt our platform in early 2014, and our investment in security initiatives from 2015 to 2016 will have increased by 60 percent.
“We routinely conduct red team exercises, where we adopt the tools and methods of adversaries to test and improve our defenses. In the last two years, a vibrant Yahoo bug bounty program has resulted in $1.8 million in cash payouts to security researchers from around the world and enabled Yahoo to meaningfully strengthen our security posture.
“Today’s security landscape is complex and ever-evolving, but, at Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure.”