[BreachExchange] Yahoo Hack: Disclosure Lag Could Be a Simple Lack of Knowledge

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 23 10:21:05 EST 2016


http://gadgets.ndtv.com/internet/news/yahoo-hack-disclosure-lag-could-be-a-
simple-lack-of-knowledge-1638863

The scale of a second Yahoo breach disclosed Wednesday was staggering
enough, exposing information associated with 1 billion accounts. But
perhaps even more distressing was that the theft happened three years ago -
and had not been reported until now. That probably left a lot of consumers
wondering: Why does it take so long to find out that I've been hacked?

In Yahoo's case, the reason for the delay may be a fairly simple one. The
company may not have known about the breach. Yahoo has not revealed how it
learned about the 2013 attack, but reading between the lines of its
announcement, it seems as though its security team was alerted by outside
investigators rather than an internal team.

"[Law] enforcement provided us with data files that a third party claimed
was Yahoo user data," Bob Lord, Yahoo's chief information security officer,
wrote in a blog post. "We analyzed this data with the assistance of outside
forensic experts and found that it appears to be Yahoo user data."

But even when companies do find a breach on their own, there are other
reasons that their users may not hear about it right away. The laws around
data breaches are complicated, and each state has its own standards for
when and how breaches must be reported, which can slow down the process.
There has been a long political fight over how to streamline conflicts
between those laws, but Congress hasn't come to a conclusion yet. And as
the debate continues, consumers - who often have no idea that they should
be protecting themselves against potential identification theft from hacks
- are the ones who suffer.

On top of that, different types of information require different
disclosures. Companies have to parse out whether financial, medical or
other data has been taken and whether the theft poses real harm.

Sorting all of that can take time, particularly when individual states have
different guidelines about who needs be notified about what, and when. And
companies are often wary of over-notifying customers, for fear of brand
damage or, conversely, that breach-fatigued consumers will ignore important
messages.

Plus, notification laws vary between states, according to the National
Conference of State Legislatures. Only three states do not have such rules:
Alabama, New Mexico and South Dakota.

(Also see: Yahoo 1-Billion User Hack Shows Data's Use for Information
Warfare)

Given that patchwork of laws, it can be hard for national companies to
figure out what their duties to their customers are, particularly those
based in a state different from the company's headquarters. To solve those
conflicts, there have been many pushes for a national notification law that
provides a standard for when customers should learn about hacks.

But settling on what should be included in a basic law is tricky. Privacy
advocates - who generally favor stronger laws on data-breach notification -
raised concerns about a law proposed by President Barack Obama in 2015,
worried that federal standards would override some of the more protective
measures passed in individual states such as California. Still, the latest
Yahoo breach has renewed calls for companies to be better about notifying
users when their information has been taken.

"These revelations are deeply troubling," said Sen. Mark Warner, D-Va., in
an email to The Washington Post. "Prompt notification enables users to
potentially limit the harm of a breach of this kind, particularly when it
may have exposed authentication information such as security question
answers they may have used on other sites."

Lawmakers and security experts have called for data-breach laws to be
passed along with data security standards - measures designed to have
companies such as Yahoo check their systems regularly for problems and head
off more breaches in the first place.

"The law should require, not just encourage, reasonable data security
practices from companies that collect, process, and share personal
information," said Samford University law professor Woodrow Hartzog at a
hearing in 2015. "This will fortify the protection of personal information
in the United States and help ensure that fewer breach notifications need
to be sent at all."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/4140ddb4/attachment.html>


More information about the BreachExchange mailing list