Lessons Learned from the Yahoo Data Breach

In mid-December, Yahoo announced that more than 1 billion user accounts were hacked three years ago. And that’s separate from the company’s disclosure in September that a data breach of at least 500 million user accounts had taken place over the prior two years. Time will tell how well Yahoo will handle its response to the most recently announced breach, but according to a report from Forrester, the company’s response to the initially reported breach left much to be desired. The good news is that other organizations can learn from Yahoo’s experiences.

The Forrester report, “Quick Take: Lessons For Security And Risk Pros From The Yahoo Breach” came out just after Yahoo’s September announcement. “So far,” the report says, “Yahoo isn’t following the most important principle of security breach response—which is to put your customers first.”

Customers Come First: Data Breach Response Survey

That seemingly simple principle of prioritizing customer interests in the wake of a breach appears to be gaining traction. In fact, the newly released Customers Come First: Data Breach Response Survey shows that today’s organizations are increasingly emphasizing customer service in their breach responses, with more than half of respondents citing a thoughtfully written notification letter as a key component of breach responses.

Over the past year, we have offered specific tips on how to put customer needs first, beginning with the breach response letter. Among other things, we recommend that the letters be thorough and transparent, providing all the details affected individuals want to know. Letters should also be sensitive to the plight of the people whose lives have been affected.

In these and other ways, Forrester argues that Yahoo’s response to the breach of 500 million accounts has thus far come up short. Specifically, the report points to at least 10 mistakes Yahoo made that failed to put customers’ interests first and earn back some of the trust the breach inevitably caused.

For instance, the report suggests that Yahoo made a mistake in trying to downplay the significance of the breach. Yahoo’s breach response statement stated, “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.” Forrester argues that those lines paint customers as targets rather than victims and imply that breaches are inevitable—which may be viewed as an attempt to shift blame instead of taking full responsibility.

It is not only the content but also the presentation of breach response statements that affect how organizations’ responses will be viewed. The Forrester report points out that Yahoo inserted a security alert on its email account screen, but made the alert less visible than most ads. The company also failed to highlight its longer statement on its main Yahoo.com site and related Yahoo properties. Such steps give the appearance of minimizing the seriousness of the breach and may have further undermined attempts to restore trust.

The Forrester report goes on to offer six lessons based on Yahoo’s experience to help security and risk professionals improve their own security posture and reduce future risk. One of the more interesting lessons to consider is the need to calculate reputational damage, which may have much greater impact than the tangible costs associated with a breach—especially when an organization like Yahoo suffers its breach in the midst of an acquisition.

Verizon had agreed in late July to acquire Yahoo for $4.8 billion. Upon learning of the data breach (two days before the public disclosure in late September), Verizon stated that it “will evaluate as the investigation continues.” By Oct. 13, Verizon was signaling that the burden of proof was on Yahoo to show that the breach was not material to the deal. And on Nov. 9, Yahoo stated in a filing with the Securities and Exchange Commission that there is “no assurance” that Verizon will go through with the deal.

According to the Wall Street Journal, merger and acquisition activity is at an all-time high, so we are likely to see more instances like this where cybersecurity and incident response capabilities become critical factors for companies contemplating or taking part in a merger or acquisition. As we’ve pointed out, a company that “knows its risks, and actively seeks to address them with a combination of preventative and detective controls along with purpose-built incident response management tools, is a far better value than one that buries its proverbial head in the sand.”

In fact, perhaps the greatest lesson from Yahoo’s recent experiences is that organizations can never afford to bury their heads—not before breaches happen, when significant and sometimes difficult steps must be taken to protect sensitive data. And not after a breach occurs, when affected individuals (and organizations seeking mergers and acquisitions) expect and deserve full transparency.

Customers Come First: Data Breach Response Survey