It took place in August 2013. It was a hack of unprecedented scale, impetuous, audacious, and, if we are to believe Yahoo, undetected at the time. The result of that effort across 1 billion accounts was a profitable use of material to spammers and cyber criminals operating on the dark web, with some estimates on proceeds coming to $300,000.
The breached data comprised email addresses, names, phone numbers, birthdays, hashed passwords, and an assortment of encrypted and unencrypted security questions, with their answers. If the company’s public front is to believed, the hack avoided unencrypted passwords, credit card numbers or information related to bank accounts.
To this could be added the hack of 2014, disclosed in September, that targeted the details of half a million accounts. The words from the publicity arm of the company were hardly encouraging. The one billion-account hack was “distinct from the incident we disclosed on September 22, 2016.”
What was the CEO Marissa Mayer thinking on becoming CEO? Security could hardly have been a priority. This is in stark contrast to the bruising the company got six years ago when it, along with Google and other technology companies, received the unwanted attention of Chinese military hackers.
Responses varied. Sergey Brin of Google hired a swathe of security engineers with enticing bonuses. Yahoo preferred dragging its collective, corporate feet, facing internal battles between the “Paranoids,” as Yahoo’s security term is known as, and the rest of the business, on security costs.
According to Jeremiah Grossman, a former information security officer for Yahoo, “there’s confusion, there’s frustration, and there’s not a lot of support for the security team” (Wired, Dec 14). To this company atmospherics could also be added the general desire on the part of the wonks to keep mum on the issue of whether it had received the attention of hackers.
Nor is Mayer anywhere in sight. In the unconvincing words of a Yahoo spokeswoman, “Marissa and our executive team have been deeply engaged in our ongoing investigation.” According to the Financial Times, she should have been engaged right back in July, when she already had knowledge about the 2013 hack. This raised “questions about whether [she] withheld information from investors, regulators and its acquirer Verizon until this week.” Very naughty indeed.
This kaleidoscope of chaos has come to light as Mayer has been working on making Yahoo appealing to Verizon to the tune of $4.8 billion, which was pretty much all that was looking up for the company.
That appeal, even for this sick man of the technology field, has worn off considerably with two massive hacks in succession, suggesting that the company has not taken heed of the vast information insurgency being pursued across the Internet. In the ruthless technology jungle, Yahoo has lagged and limped. Verizon, while still on board, wants amendments to the deal.
Having taken their eyes off matters of security, it is fitting to consider the extent Yahoo is liable for having a system that offered such ready pickings. Numerous states have onerous obligations on data companies to protect the integrity of what is gathered under their watch. A standard of care, the breach of which incurs penalties, is assumed.
Britain’s deputy information commissioner, Simon Entwisle, is eyeing the company, as are his colleagues at several other watchdogs. The Information Commissioner’s Office has some form, having fined TalkTalk to the tune of £400,000 for a cyber attack that took place in October last year. The theft of personal data there involved 157,000 customers. Among them were 16,000 instances where bank account details were also pilfered.
Despite TalkTalk’s cooperative demeanour (the company claimed “to be open and honest with our customers from the outset”), the fine remained. “Yes, hacking is wrong,” observed Information Commissioner, Elizabeth Denham, “but that is not an excuse for companies to abdicate their security obligations.” It was incumbent on the company to do “more to safeguard its customer information. It did not and we have taken action.”
The Yahoo account holder may also rush to keyboard or pad to whisk away the account into oblivion, bidding a bitter adieu to the flawed technology giant. But as has been noted, even after a Yahoo email account is deleted, “the actual details of the account won’t be cleared from Yahoo’s database for 90 days and even then, Yahoo may retain some information.”
Reeling and recoiling, the Yahoo top brass have had little in the way of answers. The market is doing the talking for them on one level, while customers will, in all likelihood, do the other. But the damage is done, and any deletion of the Yahoo account is about to have a weak futility to it. In the age of the deep hack, not even deletion will assist you.
Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: firstname.lastname@example.org