[BreachExchange] The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 14 20:02:14 EDT 2018


The fallout from the Yahoo data breaches continues to illustrate how
cyberattacks thrust companies into the competing roles of crime victim,
regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public
company to be fined ($35 million) by the Securities and Exchange Commission
for filing statements that failed to disclose known data breaches. This is
on top of the $80 million federal securities class action settlement that
Yahoo reached in March 2018—the first of its kind based on a cyberattack.
Shareholder derivative actions remain pending in state courts, and consumer
data breach class actions have survived initial motions to dismiss and
remain consolidated in California for pre-trial proceedings. At the other
end of the spectrum, a federal judge has balked at the U.S. Department of
Justice's (DOJ) request that a hacker-for-hire indicted in the Yahoo
attacks be sentenced to eight years in prison for a digital crime spree
that dates back to 2010.

The Yahoo Data Breaches

In December 2014, Yahoo's security team discovered that Russian hackers had
obtained its "crown jewels"—the usernames, email addresses, phone numbers,
birthdates, passwords and security questions/answers for at least 500
million Yahoo accounts. Within days of the discovery, according to the SEC,
"members of Yahoo's senior management and legal teams received various
internal reports from Yahoo's Chief Information Security Officer (CISO)
stating that the theft of hundreds of millions of Yahoo users’ personal
data had occurred." Yahoo's internal security team thereafter was aware
that the same hackers were continuously targeting Yahoo's user database
throughout 2015 and early 2016, and also received reports that Yahoo user
credentials were for sale on the dark web.

In the summer of 2016, Yahoo was in negotiations with Verizon to sell its
operating business. In response to due diligence questions about its
history of data breaches, Yahoo gave Verizon a spreadsheet falsely
representing that it was aware of only four minor breaches involving users’
personal information.  In June 2016, a new Yahoo CISO (hired in October
2015) concluded that Yahoo's entire database, including the personal data
of its users, had likely been stolen by nation-state hackers and could be
exposed on the dark web in the immediate future. At least one member of
Yahoo's senior management was informed of this conclusion. Yahoo
nonetheless failed to disclose this information to Verizon or the investing
public. It instead filed the Verizon stock purchase agreement—containing an
affirmative misrepresentation as to the non-existence of such breaches—as
an exhibit to a July 25, 2016, Form 8-K, announcing the transaction.

On September 22, 2016, Yahoo finally disclosed the 2014 data breach to
Verizon and in a press release attached to a Form 8-K.  Yahoo's disclosure
pegged the number of affected Yahoo users at 500 million.

The following day, Yahoo's stock price dropped by 3%, and it lost $1.3
billion in market capitalization. After Verizon declared the disclosure and
data breach a "material adverse event" under the Stock Purchase Agreement,
Yahoo agreed to reduce the purchase price by $350 million (a 7.25%
reduction in price) and agreed to share liabilities and expenses relating
to the breaches going forward.

Since September 2016, Yahoo has twice revised its data breach disclosure.
In December 2016, Yahoo disclosed that hackers had stolen data from 1
billion Yahoo users in August 2013, and had also forged cookies that would
allow an intruder to access user accounts without supplying a valid
password in 2015 and 2016. On March 1, 2017, Yahoo filed its 2016 Form
10-K, describing the 2014 hacking incident as having been committed by a
"state-sponsored actor," and the August 2013 hacking incident by an
"unauthorized third party."  As to the August 2013 incident, Yahoo stated
that "we have not been able to identify the intrusion associated with this
theft." Yahoo disclosed security incident expenses of $16 million ($5
million for forensics and $11 million for lawyers), and flatly stated: "The
Company does not have cybersecurity liability insurance."

The same day, Yahoo's general counsel resigned as an independent committee
of the Yahoo Board received an internal investigation report concluding
that "[t]he 2014 Security Incident was not properly investigated and
analyzed at the time, and the Company was not adequately advised with
respect to the legal and business risks associated with the 2014 Security
Incident." The internal investigation found that "senior executives and
relevant legal staff were aware [in late 2014] that a state-sponsored actor
had accessed certain user accounts by exploiting the Company's account
management tool."

The report concluded that "failures in communication, management, inquiry
and internal reporting contributed to the lack of proper comprehension and
handling of the 2014 Security Incident." Yahoo's CEO, Marissa Mayer, also
forfeited her annual bonus as a result of the report's findings.

On September 1, 2017, a California federal judge partially denied Yahoo's
motion to dismiss the data breach class actions. Then, on October 3, 2017,
Yahoo disclosed that all of its users (3 billion accounts) had likely been
affected by the hacking activity that traces back to August 2013. During a
subsequent hearing held in the consumer data breach class action, a Yahoo
lawyer stated that the company had confirmed the new totals on October 2,
2017, based on further forensic investigation conducted in September 2017.
That forensic investigation was prompted, Yahoo's counsel said, by recent
information obtained from a third party about the scope of the August 2013
breach. As a result of the new disclosures, the federal judge granted the
plaintiffs’ request to amend their complaint to add new allegations and
causes of action, potentially including fraud claims and requests for
punitive damages.

The SEC Breaks New Cybersecurity Ground

Just a month after issuing new interpretive guidance about public company
disclosures of cyberattacks (see our Post and Alert), the SEC has now
issued its first cease-and-desist order and penalty against a public
company for failing to disclose known cyber incidents in its public
filings. The SEC's administrative order alleges that Yahoo violated
Sections 17(a)(2) & (3) of the Securities Act of 1933 and Section 13(a) of
the Securities Exchange Act of 1934 and related rules when its senior
executives discovered a massive data breach in December 2014, but failed to
disclose it until after its July 2016 merger announcement with Verizon.

During that two-year window, Yahoo filed a number of reports and statements
with the SEC that misled investors about Yahoo's cybersecurity history. For
instance, in its 2014-2016 annual and quarterly reports, the SEC found that
Yahoo included risk factor disclosures stating that the company "faced the
risk" of potential future data breaches, “without disclosing that a massive
data breach had in fact already occurred.”

Yahoo management's discussion and analysis of financial condition and
results of operation (MD&A) was also misleading, because it "omitted known
trends and uncertainties with regard to liquidity or net revenue presented
by the 2014 breach." Knowing full well of the massive breach, Yahoo
nonetheless filed a July 2016 proxy statement relating to its proposed sale
to Verizon that falsely denied knowledge of any such massive breach. It
also filed a stock purchase agreement that it knew contained a material
misrepresentation as to the non-existence of the data breaches.

Despite being informed of the data breach within days of its discovery,
Yahoo's legal and management team failed to properly investigate the breach
and made no effort to disclose it to investors. As the SEC described the
deficiency, "Yahoo senior management and relevant legal staff did not
properly assess the scope, business impact, or legal implications of the
breach, including how and where the breach should have been disclosed in
Yahoo's public filings or whether the fact of the breach rendered, or would
render, any statements made by Yahoo in its public filings to be
misleading." Yahoo's in-house lawyers and management also did not share
information with its auditors or outside counsel to assess disclosure
obligations in public filings.

In announcing the penalty, SEC officials noted that Yahoo left "its
investors totally in the dark about a massive data breach" for two years,
and that "public companies should have controls and procedures in place to
properly evaluate cyber incidents and disclose material information to
investors." The SEC also noted that Yahoo must cooperate fully with its
ongoing investigation, which may lead to penalties against individuals.

The First Hacker Faces Sentencing

Coincidentally, on the same day that the SEC announced its administrative
order and penalty against Yahoo, one of the four hackers indicted for the
Yahoo cyberattacks (and the only one in U.S. custody) appeared for
sentencing before a U.S. District Judge in San Francisco. Karim Baratov, a
23-year-old hacker-for-hire, had been indicted in March 2017 for various
computer hacking, economic espionage, and other offenses relating to the
2014 Yahoo intrusion.

His co-defendants, who remain in Russia, are two officers of the Russian
Federal Security Service (FSB) and a Russian hacker who has been on the
FBI's Cyber Most Wanted list since November 2013. The indictment alleges
that the Russian intelligence officers used criminal hackers to execute the
hacks on Yahoo's systems, and then to exploit some of that stolen
information to hack into other accounts held by targeted individuals.

Baratov is the small fish in the group. His role in the hacking conspiracy
focused on gaining unauthorized access to non-Yahoo email accounts of
individuals of interest identified through the Yahoo data harvest.
Unbeknownst to Baratov, he was doing the bidding of Russian intelligence
officers, who did not disclose their identities to the hacker-for-hire.
Baratov asked no questions in return for commissions paid on each account
he compromised.

In November 2017, Baratov pled guilty to conspiracy to commit computer
fraud and aggravated identity theft. He admitted that, between 2010 and
2017, he hacked into the webmail accounts of more than 11,000 victims,
stole and sold the information contained in their email accounts, and
provided his customers with ongoing access to those accounts. Baratov was
indiscriminate in his hacking for hire, even hacking for a customer who
appeared to engage in violence against targeted individuals for money.
Between 2014 and 2016, he was paid by one of the Russian intelligence
officers to hack into at least 80 webmail accounts of individuals of
interest to Russian intelligence identified through the 2014 Yahoo
incident. Baratov provided his handler with the contents of each account,
plus ongoing access to the account.

The government is seeking eight years of imprisonment, arguing that Baratov
"stole and provided his customers the keys to break into the private lives
of targeted victims." In particular, the government cites the need to deter
Baratov and other hackers from engaging in cybercrime-for-hire operations.
The length of the sentence alone suggests that Baratov is not cooperating
against other individuals. Baratov's lawyers have requested a sentence of
no more than 45 months, stressing Baratov's unwitting involvement in the
Yahoo attack as a proxy for Russian intelligence officers.

In a somewhat unusual move, the sentencing judge delayed sentencing and
asked both parties to submit additional briefing discussing other hacking
sentences. The judge expressed concern that the government's sentencing
request was severe and that an eight-year term could create an "unwarranted
sentencing disparity" with sentences imposed on other hackers.

The government is going to the mat for Baratov's victims.  On May 8, 2018,
the government fired back in a supplemental sentencing memorandum that
reaffirms its recommended sentence of 8 years of imprisonment. The
memorandum contains an insightful summary of federal hacking sentences
imposed on defendants, with similar records who engaged in similar conduct,
between 2008 and 2018. The government surveys various types of hacking
cases, from payment card breaches to botnets, banking Trojans and theft and
exploitation of intimate images of victims.

The government points to U.S. Sentencing Guidelines Commission data showing
that federal courts almost always have imposed sentences within the
advisory Guidelines range on hackers who steal personal information and do
not earn a government-sponsored sentence reduction (generally due to lack
of cooperation in the government's investigation). The government also
expands on the distinctions between different types of hacking conduct and
how each should be viewed at sentencing. It focuses on Baratov's role as an
indiscriminate hacker-for-hire, who targeted individuals chosen by his
customers for comprehensive data theft and continuous surveillance.
Considering all of the available data, the government presents a very
persuasive argument that its recommended sentence of eight years of
imprisonment is appropriate. Baratov's lawyers may now respond in writing,
and sentencing is scheduled for May 29, 2018.

Lessons from the Yahoo Hacking Incidents and Responses

There are many lessons to be learned from Yahoo's cyber incident odyssey.
Here are some of them:

The Criminal Conduct

- Cybercrime as a service is growing substantially.

- Nation-state cyber actors are using criminal hackers as proxies to attack
private entities and individuals. In fact, the Yahoo fact pattern shows
that the Russian intelligence services have been doing so since at least

- Cyber threat actors—from nation-states to lone wolves – are targeting
enormous populations of individuals for cyber intrusions, with goals
ranging from espionage to data theft/sale, to extortion.

- User credentials remain hacker gold, providing continued, unauthorized
access to online accounts for virtually any targeted victim.

- Compromises of one online account (such as a Yahoo account) often lead to
compromises of other accounts tied to targeted individuals. Credential
sharing between accounts and the failure to employ multi-factor
authentication makes these compromises very easy to execute.

The Incident Responses

- It's not so much about the breach, as it is about the cover up. Yahoo ran
into trouble with the SEC, other regulators and civil litigants because it
failed to disclose its data breaches in a reasonable amount of time.
Yahoo's post-breach injuries were self-inflicted and could have been
largely avoided if it had properly investigated, responded to, and
disclosed the breaches in real time.

- SEC disclosures in particular must account for known incidents that could
be viewed as material for securities law purposes.  Speaking in the future
tense about potential incidents will no longer be sufficient when a company
has actual knowledge of significant cyber incidents.

- Regulators are laying the foundation for ramped-up enforcement actions
with real penalties. Like Uber with its recent FTC settlement, Yahoo
received some leniency for being first in terms of the SEC's administrative
order and penalty. The stage is now set and everyone is on notice of the
type of conduct that will trigger an enforcement action.

- Yahoo was roundly applauded for its outstanding cooperation with law
enforcement agencies investigating the attacks. These investigations go
nowhere without extensive victim involvement. Yahoo stepped up in that
regard, and that seems to have helped with the SEC, at least.

- Lawyers must play a key role in the investigation and response to cyber
incidents, and their jobs may depend on it. Cyber incident investigations
are among the most complex types of investigations that exist. This is not
an area for dabblers and rookies. Organizations need to hire in-house
lawyers with actual experience and expertise in cybersecurity and cyber
incident investigations.

- Senior executives need to become competent in handling the crisis of
cyber incident response. Yahoo's senior executives knew of the breaches
well before they were disclosed. Why the delay? And who made the decision
not to disclose in a timely fashion?

- The failures of Yahoo's senior executives illustrate precisely why the
board of directors now must play a critical role not just in proactive
cybersecurity, but in overseeing the response to any major cyber incident.
The board must check senior management when it makes the wrong call on
incident disclosure.

The Litigation

- Securities fraud class actions may fare much better than consumer data
breach class actions. The significant stock drop coupled with the clear
misrepresentations about the material fact of a massive data breach created
a strong securities class action that led to an $80 million settlement.
The lack of financial harm to consumers whose accounts were breached is not
a problem for securities fraud plaintiffs.

- Consumer data breach class actions are more routinely going to reach the
discovery phase. The days of early dismissals for lack of standing are
disappearing quickly.  This change will make the proper internal
investigation into incidents and each step of the response process much
more critical.

- Although the jury is still out on how any particular federal judge will
sentence a particular hacker, the data is trending in a very positive
direction for victims. At least at the federal level, hacks focused on the
exploitation of personal information are being met with stiff sentences in
many cases. A hacker’s best hope is to earn government-sponsored sentencing
reductions due to extensive cooperation. This trend should encourage
hacking victims (organizations and individuals alike) to report these
crimes to federal law enforcement and to cooperate in the investigation and
prosecution of the cybercriminals who attack them.

- Even if a particular judge ultimately goes south on a
government-requested hacking sentence, the DOJ's willingness to fight hard
for a substantial sentence in cases such as this one sends a strong signal
to the private sector that victims will be taken seriously and protected if
they work with the law enforcement community to combat significant
cybercrime activity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180514/d75ba4f1/attachment.html>

More information about the BreachExchange mailing list