Out-Law News 3 min. read
03 Mar 2017, 10:30 am
Yahoo said that an independent committee set up by the company to look into the 2014 incident found that the full-scale of the 2014 breach was not uncovered at the time. This was not the result of a cover-up but instead stemmed from failings in "communication, management, inquiry and internal reporting", it said.
The failings meant that Yahoo's audit and finance committee, as well as the full board of directors, "were not adequately informed of the full severity, risks, and potential impacts of the 2014 security incident and related matters", it said.
The details of the independent committee's findings have been outlined in a new regulatory filing submitted by Yahoo to the US Securities and Exchange Commission (SEC).
Yahoo publically reported the 2014 data breach in September 2016. It then followed up in December last year by disclosing that it had uncovered, with the help of law enforcement agencies and forensic experts, a more substantial, separate data breach incident in 2013. More than one billion Yahoo customers' details were compromised by hackers in the 2013 incident, the company said at the time. Yahoo's handling of the 2014 data breach has been closely observed by data protection authorities.
"The EU's new General Data Protection Regulation (GDPR) will introduce new data breach notification obligations on many businesses for the first time," Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said. "Under those rules, organisations will generally be expected to report major data breach incidents to data protection authorities within 72 hours of the time they first have knowledge of those incidents."
"There may be differences in opinions across industry over when an organisation might be said to have knowledge of a data breach given the wording of the GDPR. However, it is likely that data protection authorities will adopt a strict interpretation on this point," Richard said.
"It is therefore vital that organisations implement and test incident response plans to ensure that breaches are expeditiously communicated to senior management when first identified and that an associated community of internal and external experts can be engaged to investigate the incident, handle communications, including regulatory reporting obligations, and mitigate the effect to employees or customers whose data is affected," she said.
Under the GDPR, organisations could be served with fines of up to €10 million, or 2% of their annual global turnover, whichever is highest, for failing to comply with the data breach notification rules.
According to its SEC filing, the independent committee found that Yahoo's information security team "had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016".
The details that were known should have prompted more thorough investigation at the time, it said.
"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the company’s account management tool," Yahoo said. "The company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the company’s information security team."
"Specifically, as of December 2014, the information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team. However, the independent committee did not conclude that there was an intentional suppression of relevant information," it said.
"Nonetheless, the committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 security incident was not properly investigated and analysed at the time, and the company was not adequately advised with respect to the legal and business risks associated with the 2014 security incident," it said.
In its regulatory filing, Yahoo said that it had taken a number of actions in response to the independent committee's findings, including updating its "technical and legal information security incident response protocols".
The changes will help ensure "escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed", it said.
In addition, Yahoo announced the resignation of its general counsel and secretary Ronald Bell and said that chief executive Marissa Mayer would not receive cash and equity bonuses otherwise due to her.
Last month, Yahoo and Verizon announced that they had agreed to cut the price Verizon will pay to acquire Yahoo by $350 million from the original price $4.8 billion agreed, in light of the security incidents experienced by Yahoo. The companies also agreed to "share certain legal and regulatory liabilities arising from" those incidents.