[BreachExchange] The sheer size of Yahoo's breach is presenting a challenge to regulators

[Audrey McNeil]

https://news.vice.com/story/yahoos-data-breach-was-so-big-
its-presenting-a-challenge-to-regulators

Earlier this month, Yahoo revealed that it suffered a massive hack in 2013
that affected at least 1 billion user accounts. That came just three months
after the company disclosed a hack from 2014 that affected 500 million
accounts.

The breaches are thought to be the biggest of all time, presenting
uncharted territory for regulators at the Federal Trade Commission, which
have thus far levied fines in cases that were a fraction of the size.

But beyond the scale of the breach, Yahoo is unique in that so many people
use their Yahoo email as the credential to log into other internet services
such as messaging or banking, and now those services are compromised as
well.

“Transactions performed over email may be compromised and that can include
all sorts of sensitive data,” said Steve Rubin, a lawyer at Moritt Hock &
Hamroff who specializes in digital security. “Aside from the number of
customers, the nature of this data presents potentially far reaching
ramifications.”

Recent SEC filings from Yahoo show that that company has been in touch with
the FTC, federal prosecutors’ offices, state attorneys general and other
regulators, although not necessarily as part of any investigation.
According to regulatory insiders and legal experts that spoke to VICE News,
the FTC is likely the agency that will take the lead on any investigation
that would materialize.

“The FTC has a responsibility for and can take legal action against
companies for not properly safeguarding people’s data,” said one White
House official. “And they have a record of taking enforcement actions and
making those actions stick.”

As to how the FTC might take on enforcement, Northeastern University
professor Andrea Matwyshyn, who has advised the FTC on data security
policy, said that a major question regulators going forward is the lack of
precedent for something like the Yahoo hack.

“Because of the limited case data and enforcement history, we don’t have a
legal sense of what the FTC views as adequate,” Matwyshyn said. Although
the FTC doesn’t publicly announce such investigations, Matwyshyn added that
“certainly this kind of a security breach is consistent with the attack
patterns that have given rise to FTC investigations in the past.”

Both the FTC and Yahoo declined to comment for this story.

The most recent comparable example in terms of the kind of information
exposed was the hack of the dating service Ashley Madison, which affected
33 million accounts  — a fraction of the number exposed in the Yahoo hacks.
The company recently settled its case with the FTC and other regulators for
$17.5 million, though it will only pay $1.6 million because the business is
in serious financial trouble.

Though Yahoo doesn’t appear to be as dire a financial situation as Ashley
Madison (Yahoo reported $1.4 billion in bank at the end of September), the
company will likely be able to duck paying out a financially crippling
fine. That’s because the FTC’s ability to levy fines has been limited. The
largest fine it’s ever levied was a $100 million settlement against
Lifelock for false advertising. Commissioners have in the past asked
Congress for authorization to levy stiffer civil penalties, and though
Democrats in the U.S. Senate have been making noise about the Yahoo hacks,
it’s unclear if that will amount to anything.

But even if regulators decline to pursue an investigation of Yahoo, the
company could instead face financial pressure.

Yahoo is in the process of selling itself to Verizon for $4.8 billion.
Verizon was already reportedly pretty queasy after the September hack was
revealed, and Bloomberg now reports that the company has an internal legal
team exploring whether Verizon can get a discount on or exit entirely from
the Yahoo acquisition.

Then there’s the inevitable lawsuits from Yahoo’s own users. Within hours
and days of when the hacks were disclosed in September and December, Yahoo
was hit with multiple class-action lawsuits. And according to Steve Rubin,
a successful class-action could hit Yahoo significantly, because the
potential size of the class is so large.

In the aftermath of Target’s own giant 2013 hack that compromised the
information of 40 million credit cards, the retailer agreed to pay $10
million to settle its own class-action lawsuit. When asked how the Target
breach compared to the Yahoo hacks in severity and size, Rubin said that
the Yahoo breaches “dwarf” what happened at Target.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161223/d0a93c22/attachment.html>