[BreachExchange] Could Yahoo Hack Allow Verizon to Pull the Plug on their Deal?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 22 20:03:24 EDT 2016


http://fortune.com/2016/09/22/could-yahoo-hack-kill-the-verizon-deal/

What did Yahoo know, and when did it know it?

Yahoo  (YHOO 0.14%)  today confirmed that information from at least 500
million user accounts was stolen in 2014,by what it is calling a
“state-sponsored actor.” This could create a problem for the company’s
recent agreement to be acquired by Verizon for $4.8 billion.

The Verizon-Yahoo merger documents include fairly standard material breach
language, which basically means that Verizon cannot bail on the deal
because of changes in external factors like global political conditions,
or, say, a terrorist attack. It also cannot terminate because Yahoo misses
financial projections (either internal or external).

Verizon  (VZ 0.93%)  could, however, claim a material breach for something
like this data hack, by arguing that the event has caused irreparable harm
to Yahoo in terms of customer trust and usage. Nonetheless, it would be
very tough sledding to get a Delaware court to agree a so-called material
adverse event had occurred, particularly given that evidence of reduced
usage and related revenue declines, for example, would not be immediately
available for quite some time. But it is theoretically possible. Verizon
also could use the threat of such a claim to renegotiate its original
agreement.

A larger threat to the deal, however, relates to what Yahoo knew and when
it knew it. Check out this paragraph from the Verizon-Yahoo merger
agreement, dated July 23, 2016:

"To the Knowledge of Seller, there have not been any incidents of, or third
party claims alleging, (i) Security Breaches, unauthorized access or
unauthorized use of any of Seller’s or the Business Subsidiaries’
information technology systems or (ii) loss, theft, unauthorized access or
acquisition, modification, disclosure, corruption, or other misuse of any
Personal Data in Seller’s or the Business Subsidiaries’ possession, or
other confidential data owned by Seller or the Business Subsidiaries (or
provided to Seller or the Business Subsidiaries by their customers) in
Seller’s or the Business Subsidiaries’ possession, in each case (i) and
(ii) that could reasonably be expected to have a Business Material Adverse
Effect."

The first possible public reports of this breach didn’t come out until a
week after the Verizon deal was announced, via a Motherboard post claiming
that a hacker was “advertising 200 million of alleged Yahoo user
credentials on the dark web.” Yahoo did tell Motherboard that it was
“aware” of the claims, but neither confirmed nor denied their legitimacy.

One other possibility, of course, is that the hack reported byMotherboard
is different than what Yahoo today is confirming. The company has not given
specifics yet on that.

As for Verizon, the telecom giant says that Yahoo only informed it of the
breach within the past two days (i.e., not before the merger agreement was
signed). That means, in order to have not breached its warranties and
representations to Verizon, Yahoo either: (a) Must have first learned of
the 500 million account hack after July 23, but before August 1; or (b)
This is a different hack than the one reported by Motherboard.

In a statement, Verizon only would say that it “will evaluate as the
investigation continues.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160922/d42f4f6f/attachment.html>


More information about the BreachExchange mailing list