The Cost of Doing Business: How Two Massive Breaches and Yahoo!’s Reluctance to Disclose Them Cost Their Shareholders $350 Million
The latest news on Yahoo’s massive data breaches highlights the most important consideration for any security incident: the impact these events can have on a company’s bottom line.
Yesterday a news story hit the wire and spread like wildfire around the world. No, it wasn’t a news story related to a new, exotic piece of malware used to deftly compromise diverse organizations the world over in an attempt to collect and harvest sensitive data, intellectual property, or trade secrets. It was a story related to a number. A very, very large number. A number large enough be noteworthy to not only the casual reader, but also to the informed investor and board member.
The number in question is $350 million USD. $350 million USD. The story goes on to tell us, the reader, that the $350 million USD in question is the amount by which the deal between Yahoo! and Verizon had changed. In fact, to be specific, the sale price of Yahoo! had been decreased by $350 million USD. Now, I’d like you to think about that number for a moment and imagine, if you will, what one could purchase for $350 million USD. The first thing that came to my mind was an exotic car, specifically, the Lamborghini Aventador LP750-4 SV which has a starting price here in the United States of $493,095. Now, do you know how many Lamborghini Aventador LP750-4 SVs one could purchase for $350 million USD? 710. You could buy 710 Lamborghini Aventador LP750-4 SVs for $350 million USD. It’s a staggeringly large number when you think about it. And given some time I’m sure you too could come up with some equally outlandish ways to use $350 million USD.
So why is the $350 million USD amount so important? And is it more important than what was stolen from Yahoo!, specifically the user accounts of approximately ~1.5 billion users – including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some instances, even the encrypted or unencrypted security questions and answers? In this case, Yahoo!’s decision to handle the disclosure of these breaches had a material effect on their sale price to Verizon. Or put another way, had a material impact on their investors, who as of today own 954.12 million outstanding shares, or their board of directors.
At this point, you may be asking yourself what this has to do with a blog dedicated to information security, data protection, incident response, and advanced threat detection and that is perfectly reasonable given the fact that I haven’t gone into detail regarding the alleged ‘breach,’ the alleged attribution of the threat actors behind the breach or anything pertaining to it with respect to tradecraft and/or investigatory practices often seen and observed in these situations. No, in fact I’ve purposely avoided delving into those areas for several reasons. I instead focused on the impact of the event’s which lead Verizon to change their offer. Why? Because we in the information security industry often forget (or choose not to acknowledge) that it is those events which have a material impact on an organizations’ worth and/or valuation which often times resonate the loudest with those in positions of power and authority to authorize actions (i.e. budget, resources, programmatic changes, etc.) required to ensure that said events never happen again.
So, what can we learn and take away from this case of not one, but two monumental breaches at Yahoo!? For starters, we can continue to stress the importance of selecting providers who stay abreast of the threat landscape and put in place controls which aid in minimizing risks via the mitigation of threats common and uncommonly encountered in both enterprise and service provider environments. Secondly, we can continue to stress the importance of good security hygiene and opsec for both providers and users. Thirdly, we can use the example of the case of Yahoo!’s breaches as an opportunity to teach and educate our peers, staffs, and ultimately those to whom we report with respect to how a poor understanding of the threat landscape, poor security hygiene, a lack of solid and effective controls, and poor opsec can have a material impact on an organization in dollars and cents.