Yahoo identified the nightmare scenario of a massive breach of customer data in its 2015 annual report as one of the biggest risks facing the company, which looks prescient in the aftermath of this week's revelation that 500 million Yahoo accounts were compromised by a possible state-sponsored hack.
How Yahoo, which is in the midst of a proposed friendly takeover by Verizon, decided to manage that risk has yet to be answered. Verizon has been a leading player in the development of cybersecurity policies for the telecom sector, while Yahoo's efforts in this area are much less clear.
The hack apparently occurred in “late 2014,” according to Yahoo, which confirmed the incident on Thursday.
About this feature:
'The Editor Reports' is a new feature from Inside Cybersecurity intended to identify themes emerging from our news coverage and pose questions about the direction of evolving cybersecurity policies. Email comments to cmitchell@iwpnews.com.
Here's what Yahoo had to say on “risk factors” to the company's operations and business model in its 2015 annual report:
“Despite our implementation of network security measures, our servers are vulnerable to computer viruses, malware, worms, hacking, physical and electronic break-ins, router disruption, sabotage or espionage, and other disruptions from unauthorized access and tampering, as well as coordinated denial-of-service attacks.”
The report added: “We may not be in a position to promptly address attacks or to implement adequate preventative measures if we are unable to immediately detect such attacks. Such events could result in large expenditures to investigate or remediate, to recover data, to repair or replace networks or information systems, including changes to security measures, to deploy additional personnel, to defend litigation or to protect against similar future events, and may cause damage to our reputation or loss of revenue.”
And the implications could be severe, the company correctly predicted:
“Security breaches or unauthorized access have resulted in and may in the future result in a combination of significant legal and financial exposure, increased remediation and other costs, damage to our reputation and a loss of confidence in the security of our products, services and networks that could have an adverse effect on our business. We take steps to prevent unauthorized access to our corporate systems, however, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be designed to remain dormant until a triggering event, we may be unable to anticipate these techniques or implement adequate preventative measures. If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures could be harmed and we could lose users and customers.”
The report also included this attachment;
“While Yahoo’s products are full of fun and whimsy, when it comes to protecting our users’ security, we don’t mess around. For the second consecutive year, we received a perfect score from the Electronic Frontier Foundation a leading privacy advocate that evaluates how well top tech companies protect user data, inform people of government requests, and disclose their own data retention policies. Now that’s no joke.”
It should be noted that the score was based on how Yahoo handles data in relation to possible law enforcement requests for access, not on its security policies designed to deter or respond to hacks.
But what type of cybersecurity risk-management system did Yahoo employ?
The most recent annual report doesn't make mention of the National Institute of Standards and Technology's framework of cybersecurity standards, and the company didn't respond immediately to inquiries on its risk-management practices.
“The NIST framework only came out in the last two years or so; it’s more likely [Yahoo] was working within an ISO27001 compliance regimen,” Eldon Sprickerhoff, founder and chief security strategist of eSentire, told Inside Cybersecurity in an email. “Unfortunately, Yahoo has been under increasing pressure from corporate competition, and as such, this might have aided in providing a gap in security. Compliance doesn't necessarily imply security.”
Yahoo officials apparently were not among the thousands of industry representatives who attended NIST's public workshops on the framework, according to public attendance records.
Nor did Yahoo submit comments in three rounds of “requests for information” that NIST issued seeking public input on cybersecurity issues.
Verizon, Yahoo's would-be new parent company, was an active participant in the framework development process and in the effort at the Federal Communications Commission to develop a cybersecurity strategy for the telecom sector.
That suggests a culture gulf on cybersecurity between the two companies – and the different approach taken by a company like Verizon that's in a space with a sector-specific regulator that focuses on cybersecurity. Verizon declined to comment on the hack or on security policies in general.
This is not to say that Yahoo was negligent – or should have been in position to fend off a nation-state cyber attack. Companies' responsibilities versus state actors is an ongoing policy debate.
But it does suggest that, at least visibly, Yahoo wasn't among the many companies that have publicly bought into the risk-management approach embodied in the NIST framework – the central arena for government-industry engagement on cybersecurity over the past few years.
The full consequences of that apparent decision remain to be seen. – Charlie Mitchell, editor, Inside Cybersecurity