Following confirmation that Yahoo may have suffered one of the largest cybersecurity breaches on record, the U.S. Securities and Exchange Commission may use the hack as a test case for new guidelines on disclosure.
On Sept. 23, Yahoo announced that “data associated with at least 500 million user accounts” had been stolen by what it believes is a state-sponsored actor in late 2014. It specified in a statement:
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
However, Yahoo may have known about the hack as early as August – when a hacker claimed to be selling data from 200 million users online – before bringing it to the attention of the FBI.
These security issues go back as far as 2010, when Yahoo, Google, and other tech companies were hit by Chinese military hackers. While the other companies responded quickly and invested hundreds of millions in security infrastructure, Yahoo lagged, emphasizing new products and design over making security improvements, according to former employees.
Its internal security team – dubbed “The Paranoids” – often came up against other parts of the business over security costs, and were overridden because the inconvenience of added protection might make people stop using its products.
As a consequence, on the heels of this most recent attack, the SEC has been asked to investigate. Democratic Senator Mark Warner asked the SEC to evaluate whether the current disclosure regime was adequate, citing reports that fewer than 100 of 9,000 public companies disclosed a material data breach since 2010.
To learn what measures you can take to protect your organization from security breaches, register for DRI’s IT/DR Planning workshop. Upcoming courses include online on Nov. 2-3, and prior to DRI2017 in Las Vegas on Feb. 23-24, 2017.