Tag Archives: Yahoo

The Times They Are A Changing, Part 2

Last week I wrote about 4 different cases where courts are moving in the direction of making it easier for plaintiffs to sue companies in case of a breach.

Now we have another situation.  In the past, judges have approved settlements that only made the lawyers rich.  The plaintiffs sometimes got, literally, nothing.  That is beginning to change.

Judge Lucy Koh (she has some impressive credentials – undergraduate and law degree from Harvard, first ever female Korean American Article III judge in the US, oversaw the Apple-Samsung case,  Apple and Google lawsuits) decided that the did not like the proposed Yahoo settlement.

The settlement called for $50 million split among 200 million people (or about 25 cents a person), zero for the remaining 800 million people plus two years of credit monitoring.  Remember this breach started in 2013, so two years of credit monitoring starting some time in 2019 …..

She also said that the $35 million in legal fees (taking the payout to the 200 million people down to $15 million or seven and a half cents a person) may be unreasonably high because the legal theories in the case were not particularly novel (SLAP! Meaning that the lawyers didn’t really have to work that hard).

That could, possibly, mean that judges are becoming educated and are hearing that people are trying not to spend their seven cent payout all in one place, meaning bigger settlements are going to be required in order to get judicial approval.

Meanwhile for Yahoo, it is back to the drawing board.

For businesses, that probably means that it would be a good idea to increase your cyber-risk insurance.

Details for this post came from Reuters.



News Bites for the Week Ending October 26, 2018

Poorly Secured Family of Adult Web Sites Leak Account Info

For those people who can think back to the hack of the Ashley Madison web site, this is kind of deja vu all over again.

100 megabytes of user authentication data was leaked – user names, IP addresses, passwords and email addresses.  Not THE most sensitive data, but most people who visit adult web sites do not advertise that fact.  But there is more.

One surprise is that there were OVER ONE MILLION email addresses compromised.

Along with, apparently, pictures that some people uploaded to some of the sites.  Suffice it to say those pictures are not of sunsets over the beach.

The owner of the 8 sites took the sites down almost immediately and told people to change their passwords.

One disappointing feature of the sites – the passwords, while encrypted (or technically hashed), were encrypted with a hashing algorithm over 40 years old and which can be easily decrypted.

All this does point out the dangers of posting data and pictures to the web – YOU don’t understand what their security practices are like.  It also points out that web site owners need to get a security review of their web site from time to time to make sure that they re not using 40 year old unsecure algorithms.  Source: Ars Technica.


Saudis “buy” Twitter Employee to Spy on Dissidents

The Saudis do not need any more bad news, but they are getting it anyway.  The Times has reported that the Saudis “groomed” (maybe bribed or blackmailed) a Twitter employee to feed them dirt on Saudi dissidents.  In addition, the Saudis, like the Russians, have mounted a huge disinformation campaign.  Social media has a huge challenge and no easy answers.  Source: The Hill .


NY Times Reports US Begins First LIMITED Cyber Ops Against Russia

In spite of the fact that President Trump says that the Russians are not hacking our elections, the United States Cyber Command is targeting Russians to stop them from interfering with the elections.  The campaign started in recent days.

The campaign comes after the Justice Department released a report last Friday outlining a Russian campaign of information warfare.

Not surprisingly, the Pentagon is not talking much about this – just like they would not talk about any spy activities or activities that would likely be considered illegal, aggressive or an act of war by the targeted countries.

Interestingly, the story says that the actions are “measured” and much less that what the Russians are doing.  Why?  Because they are worried that Russia might take down the US power grid or some other major cyber activity.

That is not comforting.  Source: NY Times .


UK Grocer Morrisons Loses Appeal of Breach Class Action

This is the UK and not the US, but still, this is interesting.  A disgruntled employee downloaded data on 100,000 employees, leaked it to the press and posted it online.  Data leaked include salary and bank account information.

Morrisons was sued not surprisingly but, somewhat surprisingly, lost.  Morrisons appealed the court verdict, but lost the appeal.  They now plan to appeal to the UK Supreme Court.

If they lose there, it will mark a turning point in security law.  The company maintains that they did nothing wrong and it was a rogue employee who leaked the data.  The employee is now in jail.  The court says Morrisons is responsible anyway.  Stay tuned because if the courts hold that companies are responsible for the unauthorized actions of their employees, boy oh boy.  Source: BBC .

Yahoo Settles One More Lawsuit for $50 Mil Plus Credit Monitoring for 200 Million

As Yahoo continues to feel the fallout from its data breaches in 2013-2014 that it failed to disclose, they agreed to another settlement covering 1 billion of the 3 billion users affected.

For this suit, they will pay $50 million, split between Verizon and Altaba (the company that controls what is level of Yahoo) and provide credit monitoring for 200 million people for 2 years.  Add to that $35 million in legal fees.

This, of course, is not the end.  It is only one lawsuit of many plus fines from regulators. Stay tuned for further settlements. This really poorly planned strategy of Marissa Mayer to hide the breach may wind up costing Yahoo and Verizon a billion dollars.  Source: Seattle Pi.

Score One For the Right to Repair Movement

Every three years the Librarian of Congress gets to arbitrarily decide who is breaking the law and who is not.  Really.  Specifically, he or she gets to decide who and why the Digital Millennium Copyright Act (DMCA) applies to.

Every three years, those people who got an exemption before have to go back to the Librarian and ask, again, mother may I?

One example is that the Librarian said that you can circumvent encryption and DRM tools to jailbreak your phone.

Another exemption allows educators to use encrypted DVDs (and break that encryption) in certain educational settings.

None of this gives you the tools to actually do it, but they can’t put you in jail or fine you millions of dollars if you succeed.

The newest addition to the list of approved exemptions from DMCA is for the right to repair movement, a growing group that says that people should have the right to repair things that they bought like cars, iphones and tractors.  John Deere, for example, said that while a farmer bought the metal pieces of that million dollar combine, they do not own the software that actually makes it work when you turn it on and if you don’t let an authorized John  Deere mechanic fix it, they will try to sue you into oblivion.

Now people can try to fix their cars, tractors, iphones and other devices.  It doesn’t mean that the manufacturers will help you – it just means that they can no longer sue you.  Source: Motherboard .

The News At Yahoo Keeps Getting Better

Update: In light of the title of this post, the Irish data protection commissioner, Helen Dixon, says that her office is investigating “next steps” in investigating Yahoo.  While I don’t think the U.S. will do anything more than slap Yahoo on the wrist for allowing three billion identities to be compromised, the EU generally takes a different stance on things like this.  Come 2018, it could cost companies like Yahoo and others who do business in Europe up to 4 percent of their annual revenue in fines.  That’s revenue, not profit.  Stay tuned.

Yahoo, just before Verizon acquired it, disclosed first one breach and then another breach.  One breach, that occurred in 2014, affected a half billion (500,000,000) people. The other breach, in 2013, affected one billion (1,000,000,000) people.

The effect of this disclosure was to put the deal on hold for several months and then to give the deal a haircut of about $300 to $400 million.  For a deal valued at $4 billion plus, that only represents a 10% price reduction, but still, that represents a lot to the Yahoo shareholders.  In addition, Yahoo agreed to remain responsible for certain aspects of the breach such as the SEC investigation and penalties and to share some of the other costs.  By the time it is all done, it could cost Yahoo shareholders $500-$750 million.

Verizon understood (I hope) that they were buying damaged goods and knew they had their work cut out for them.

Now Verizon is admitting that the 2013 breach affected 3 billion accounts – passwords, security questions, names, email addresses, etc.  This is three times what they disclosed before the sale, three times what they disclosed to their customers and three times the number that they disclosed to the SEC.  I suspect that won’t make the SEC very happy, but it will likely make the class action attorneys quite joyful.

Verizon says this new data comes from unnamed outside forensics experts.  Verizon is not saying WHEN they found out that the breach affected every Yahoo account.  In fact they are not saying much of anything.  Of course, when the lawsuits move forward, more information may come out.

At least some of the data is available for sale on the dark web.  That fact may be the reason that they have revised the numbers up.

To some outsiders, the fact that ALL accounts were affected is not a surprise.  After all, they say, the hackers had burrowed in so deeply that it didn’t make sense that only some accounts were affected, but that is what Yahoo told everyone.

Assuming that you had a Yahoo account, hopefully, by now, you have changed your password anywhere that password was used (a great reason NOT to reuse passwords at different sites).  The bigger issue is those security questions.  If you answered the question of what street were you born on or what was your first car and that data is out in the wild, you can’t retract it.

Or can you?

Remember, most folks don’t care how you answer the question, just that the answer that you gave when you created the account and the answer that you give now match.  If your first car was a VW and you said it was a Mercedes, they won’t close your account.  Of course, you have to remember what you said, but if you use a password safe, you could store that “fake car” info in the password safe.

One exception to this is when the web site thinks it knows the answers to the questions.  Web sites can buy the questions and answers from businesses like Equifax (that should make you feel secure).  That service is called “out of wallet” questions and hopefully, any company that has been using one of those services stops immediately since if that security mechanism was ever effective, it is no longer secure now.  I was recently asked by a business to answer some of those out of wallet questions and I laughed and asked if they were kidding.  Even the guy who was asking the questions laughed, but he was just “following orders”.

If you are responsible for that part of security at your company and you are using out of wallet questions, find a different solution.

Information for this post came from CNN and Wired.

The General Counsel’s Job Just Got Harder

After Yahoo announced it’s mega breaches and it’s General Counsel was fired, this article is not much of a surprise.

John Reed Stark, head of his own consulting firm but formerly of the Chief of the SEC’s Office of Internet Enforcement and former Law professor at Georgetown Law and David Fontaine, CEO of the billion dollar risk mitigation firm Kroll, Yale Law graduate and partner at the law firm of Miller, Cassidy, Larroca  and Lewin wrote a great piece recently.

The basic premise is that the General Counsel is going to be the fall guy when there is a breach, so he or she might want to get ahead of that freight train and plan for dealing with it, like any other risk such as financial reporting, sexual harassment and insider trading.

I highly recommend that CEOs, CFOs and Board Members read the entire article because a summation is not going to do it justice, but they bring up three key points. First a little background.

If, after reading the article, you are more confused than when you started, please contact me.

From the Yahoo Board after action report:

Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. …

Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.

Here are the three recommendations:

#1 – The GC has emerged as the most logical and effective quarterback of data breach response.

We agree with this completely with a few caveats.  Most GCs are not cyber security gurus.  The GC needs to work in both internal and external cyber security experts in order to make the right decisions about the risk.  While Fortune 500 firms have access to great cyber security teams, sometimes it is hard to be a prophet in your own land and outside expertise may be helpful.

In addition, based on precedent, to get the maximum benefit of attorney client privilege, engaging outside counsel may be mandatory.

#2 – Yahoo’s actions not only signal the evolution of a new standard of care for GCs when it comes to cybersecurity but also signal a vast expansion of GC oversight.

The article goes into great detail of what the GC should ensure is being done proactively.

Our takeaway is this.  It is only a matter of time before the lawsuits are successful and the cost to companies of inaction becomes dramatically more than the cost of action.  One strategy is to hide behind a boulder and hope the avalanche misses you, but based on experience here in Colorado, the avalanche usually wins.

Be prepared or be buried by the breach avalanche.

#3 – Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

I could not say this better myself and in fact, have been saying just this for years.

Cyber, for most companies, whether private or public, is a much more likely risk than financial reporting failure and one that the public understands much better.  If Target made errors in it’s financial reporting, most consumers would just shrug and move on.  Compromise 50 million consumer credit cards and it takes years for Target to recover its reputation.

Information for this post came from LinkedIn.

The Cost of Cyber Breaches

In case you were of those who thought that there was no real cost to cyber breaches, you might want to ask Yahoo CEO Marissa Mayer and GC Ron Bell about that.

The Yahoo Board has decided not to award Mayer, CEO of Yahoo during all of the recent breaches and renegotiated Verizon deal, any cash bonus at all.  Exactly how much that is was not disclosed, but surely it was in the millions.

In addition to that, the Board voted not to give her an equity bonus (AKA stock or options).  The minimum value of that, according to CNN, was $12,000,000.00 .

Granted Mayer’s net worth is estimated to around $300 million according to Google, but no one wants to walk away from $10-$20 million.

In addition, Yahoo General Counsel Ron Bell has “resigned”.   According to the company, Yahoo did not make any “payments” to him in exchange for his leaving.

Yahoo’s Board said that the GC had sufficient information to warrant substantial further inquiry in 2014 – two years before the breaches were publicly announced.

In other Yahoo news, Yahoo released it’s 10-K and said that it recorded a charge of $16 million in 2016 related to the breach.  Given that the announcement of the breaches came late in the year (mid December for the big breach), maybe a number that small makes sense.  It will be much more interesting to hear how much they will spend in 2017, 2018 and 2019.

In addition, in that same 10-K, Yahoo said that it did not have any cyber breach insurance.  Seriously?  You’ve GOT to be kidding.

In many cases of a breach, the stock price dives and then rebounds for the most part so investors are not hurt, but in this case, the investors, too, were hurt.

First, the sale price was reduced by $350 million and the sale has been delayed for a year.  Second, Yahoo gets to pay 50% of most of the breach costs and lastly, Yahoo gets to foot the entire bill for the SEC investigation and fines and any shareholder suits.

How many other people at Yahoo were also sacrificial lambs will likely never be known.

Information for this post came from Venture Beat and  Variety.

Yahoo Breach Update and the Verizon Merger

Right after Yahoo announced all of the different breaches, the expectation was that Verizon merger offer would be modified or totally go away.

Well, there is some news and it is probably not as bad as it could be. Many people were suggesting that the price would go down by a billion dollars and that Verizon would ask for a hold back of another billion dollars.

Luckily for Yahoo shareholders, it is not quite that bad.

Verizon negotiated a number of changes.  The first change is that the purchase price is reduced by $350 million.  Ignoring all other costs, and there are a lot of them, that means that this breach will cost Yahoo shareholders at least $350 million pre-tax.

Next, Yahoo and Verizon will split the cost, 50/50 of many of the expenses associated with the breach such as some government investigations and third party litigation related to the breach.

However, Yahoo will be completely liable for all expenses related to the SEC investigation and of shareholder lawsuits.

Put all that together and that is likely to cost Yahoo shareholders a half billion dollars or more.  Some of that is likely deductible from their taxes, so that will reduce the after tax cost of that, but still, it will be a significant number.

Depending on what the SEC does, that could be a significant cost – or not.

Shareholder lawsuits are much more dicey.  Most of the time, shareholder lawsuits, of which a number have been filed, fail.  This one COULD be different since apparently Yahoo was aware for over a year about the breaches and didn’t tell shareholders.  That would seem to be a problem.

For example, the shareholder lawsuit against Home Depot was dismissed and The Target shareholder lawsuit was withdrawn, but not until Target spent a lot of money dealing with it.

Bottom line here is that this is an example of a real world cost of a breach.  The good news for Yahoo may be that Verizon didn’t walk away from the deal completely as it would be unlikely that they could get another $4+ billion offer.

I am sure that it will be years before all the dust from the lawsuits and government reviews settles and until then, both Verizon and Altaba (which is what the part of Yahoo that did NOT get sold will be called) will have to spend precious time and money dealing with it.  Both companies will have to reserve no doubt many tens of millions of dollars to pay for these costs.

All of this might have been avoided if Yahoo spent more money on security rather than a pretty user interface.

Information for this post came from CNBC and JD Supra.