As Yahoo belatedly confirms a massive historical data breach two questions spring to mind; who knew Yahoo even had 500 million users, and what does this mean for the Verizon acquisition?
Even at this time of data breach fatigue Yahoo has set the standard for how not to protect your customer’s data. The company announced yesterday that at least 500 million users had their accounts accessed and details stolen.
“A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” said Bob Lord, the company’s CISO. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
Wait a minute… did he say late 2014?
Aside from the scale of the breach, perhaps the more worrying fact is the amount of time which has passed before the breach was made public. In that time, William and Kate brought Princess Charlotte into the World, the UK started divorce proceedings with Europe and the US political system somehow enabled Trump, and yet the data breach of 500 million user accounts went unmentioned by Yahoo. The only thing more surprising than the scale of the breach is the fact Yahoo has over 500 million users in the first place; who would have thought that?!
There are two explanations for the fact the news has only just been made public, though which is the more worrying remains a matter of opinion. Either Yahoo knew about the data breach and neglected to tell anyone, or Yahoo did not know about the breach until recently. One explanation is sinister, the other incompetent.
“Why has it taken so long for Yahoo! to become aware of the breach?” asked Nicola Fulford, Head of Data Protection & Privacy at technology and digital media law firm Kemp Little. “Serious questions need to be asked about the effectiveness of the security measures and information governance structures in place. Just talking about the breach has revealed a number of people who had their Yahoo! accounts hacked in 2014.
“Under the new GDPR law breaches will have to be reported without undue delay and at least within 72 hours of becoming aware, fines may be up to the greater of EUR20 million or 4% of global turnover and late notification of a data breach could of itself attract a fine.”
Back in July, Verizon ended months of rumours by confirming it would be purchasing the Yahoo’s internet and media assets outside of Japan for $4.83 billion. The deal supported a wider media strategy from the telco giant as it already owns a number of assets including The Huffington Post, Engadget and Tech Crunch, following the $4.4 billion AOL purchase in 2015.
Verizon apparently did not know about the data breach until September 20, though what is more significant is the impact this will have on the acquisition itself.Surely this qualifies a new and material information which, at the very least, must affect the value of Yahoo.
“Within the last two days, we were notified of Yahoo’s security incident,” said Bob Varettoni, Director of Corporate Communications at Verizon. “We understand that Yahoo is conducting an active investigation into the matter, but otherwise we have limited information and understanding of the impact.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
The statement says very little, and a lot. The Verizon team has been very PR-ey in its approach to the situation, though it does seemingly imply there could be repercussions in the future. Whether this results in the telco backing out of the acquisition remains to be seen, but surely M&A law will allow for a change of plan when such significant information comes to light.
The situation does also call into question how well the Yahoo business was audited during the courtship period. If Yahoo was not aware of the data breach, it would have certainly been tough to find, but surely the Verizon team forensically investigated the entire organization before committing such a vast sum of money to the acquisition.
There is, of course, a rich history of ill-informed M&A in the tech sector alone; HP’s $10 billion acquisition of Autonomy was another case where the team didn’t purchase quite what it had in mind as, within a year, HP had written down $9 billion of the newly acquired asset. And then there’s the mother of all mishaps: AOL Time Warner.
How the news impacts the industry on the whole, and the Verizon acquisition of Yahoo remains to be seen, but it’s hard to derive any positives at this stage. Just when it looked like its long-suffering shareholders might be able to extract some consolation from the slow-motion car crash that is Yahoo, a major spanner has been thrown into the works.