- Finally comes clean in latest filing with the SEC
- Security systems and procedures may still be unsafe
- Costs and ramifications of the biggest data breach in history still not clear
At many big American companies it is unstated corporate policy that when the going gets tough, the tough get economic with the vérité. Hence the hordes of overpaid spin doctors, misdirection merchants and sleight-of-hand tricksters - who would be the envy of shell game practitioners in back alleyways the length and breadth of the US - who are in place in commercial organisations, primed and ready to practice the dark arts of telling partial truths to the market and the media whenever they are called upon to do so.
However, when it comes to required regulatory filings with powerful bodies, such as the US Securities and Exchange Commission (SEC), that can and will take severe action against corporations and those individuals employed by them that attempt to pull the wool over the eyes of officialdom, enterprises are much more circumspect. So if you really want to know what is going on at the troubled mess at Yahoo the best bet is to see what the company is telling statutory bodies that won't be fobbed off with artfully abridged versions of the actualité.
Thus, in the "Risk Factors" section of the latest quarterly SEC filing from 701 First Avenue, Sunnyvale, the company finally admits what many suspected to be the truth in the fist place; that Yahoo's data was hacked two years ago but the company decided to keep a lid on it, brazen it out and tell no-one. However, later on and finding itself in increasingly dire straits, Yahoo put itself up for sale in late July this year and a few weeks later, on September 22, was forced to confirm that two years earlier hackers had indeed gained access to the data held in at least half a billion Yahoo user accounts.
Usernames, email addresses, telephone numbers, dates of birth and hashed passwords were stolen, together with encrypted and unencrypted security questions and answers. It was, and remains, the biggest data breach in history.
Prior to this belated admission Yahoo had said it had only discovered the two year-old security breach this August. The date is important because it reveals that Yahoo's claim that the attack came to its notice a month after Verizon bought Yahoo for US$4.83 billion was not true.
The truth will out
Now, in its most recent SEC filing, Yahoo admits for the first time that some of its executives did know of the late-2014 breach a mere matter of days after it actually happened but the company decided to keep the attack secret from its subscribers, the market and the media.
So, the cat is finally out of the bag and Yahoo's new SEC filing states, “An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge [of the attack which Yahoo maintains was instigated by a "state-sponsored actor"] in the company in 2014 and thereafter."
It is not yet apparent what Verizon's response to Yahoo's revelation will be but the best case scenario, given that Yahoo is still not able to quantify the real costs of the attack, is that Verizon will demand a reduction of the US$4.8 billion offer it has made to buy the company, while the worst case would be Verizon walking away from the deal altogether, thus leaving Yahoo to a solitary and short future as a terminally damaged operation.
Indeed, in the SEC filing Yahoo states that “Verizon may assert, or threaten to assert, rights or claims with respect to the stock purchase agreement as a result of facts relating to the security incident, and may seek to terminate the stock purchase agreement or renegotiate the terms of the sale transaction on that basis.” Hardly surprising really, is it?
Yahoo also confesses that it still can't quantify the full extent of the costs it will have to bear as a result of the hacking. Earlier this year the company reported that the security breach had cost it just $1 million in Q3 and had no "material adverse impact". Now though it says it has incurred extra expenses related to putting its compromised systems to rights. Furthermore, Yahoo expects to be saddled with significant extra costs in respect of the ongoing investigation into the data breach as well as more unquantified legal expenses which it will post to the accounts as operating costs as and when they fall due for payment. Yahoo also revealed that it does not have insurance covering liabilities accruing as a result of a cyber attack.
The filing also shows that Yahoo will also make financial provision for the possible results of 23 looming class-action lawsuits that it faces as a result of the security breach.
Smug and self-righteous to the end
All in all the attack and the prevarications and denials that followed it could end up costing Yahoo billions of dollars in hard cash, brand damage and loss of reputation.
To make matters worse, an investigation by a team of experts at the Salt Lake City, Utah-headquartered cybersecurity specialist Venafi Labs, concluded that in September this year Yahoo had still not taken the steps necessary to tighten up their security to ensure that subscriber data is properly protected.
The Vanafi team found that Yahoo was continuing to use an MD5 cryptographic hashing algorithm for the many of its self-signed digital certificates, despite the fact that it had long been declared, and accepted by the industry at large, to be highly vulnerable to hacking.
Complacent as ever, a Yahoo statement says, "We are confident in Yahoo's value and we continue to work towards integration with Verizon." Meanwhile, in the real world, Verizon's top lawyer, Craig Silliman, said the data breach and the delay in admitting that it had taken place could have "material" impact on Verizon's decision to acquire Yahoo.