How Yahoo’s Data Breach Could Help Overhaul Online Security
Andrea Matwyshyn and Hemant Bhargava discuss the fallout from Yahoo’s data breach
A “full inquiry” into a massive data breach at Yahoo — which was revealed this week but took place in late 2014 — will decide the fate and revaluation of Verizon’s $4.8 billion bid to buy its operating assets, according to experts. It will also trigger an industry-wide overhaul of user authentication procedures, replacing passwords and security questions, they predict.
Two months after Yahoo announced the Verizon deal in July, it broke the news that what it believes is “a state-sponsored actor” stole information relating to at least 500 million user accounts, or half its total monthly active user base of a billion-plus. An internal Yahoo investigation has found no evidence that the state-sponsored actor is currently in its network. However, weightier questions remain about how Yahoo will boost its internal security processes, and whether its directors and officers failed in discharging their fiduciary duties when they discovered the breach.
Hemant Bhargava, professor of technology management at University of California-Davis, and Northeastern University law professor Andrea Matwyshyn discussed the implications of the data breach at Yahoo on the Knowledge@Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Here are five key takeaways from their discussion:
Impact on the Verizon deal: “With the extra negative reputation of the data breach, many users will defect, and Verizon may want to rethink the value of the deal,” says Bhargava. He pegs the liability cost of the breach at between $25 and $200 per user. Verizon, which is buying only Yahoo’s operating assets, may insist that the Yahoo entities that it is not buying foot that liability bill, he adds. “At the very least, the reputation effect on users and the defection of users will cause some rethinking” of the firm’s valuation.
“This kind of data valuation is partially art as well as science,” says Matwyshyn. She notes some experts project a drop of between $100 million and $200 million on Verizon’s purchase price for the Yahoo assets.
Much of how Verizon will reassess its deal will depend on the impact of the breach on its larger strategy in video and digital media, says Bhargava. Yahoo will provide the so-called “landing pages” or places where ads can be distributed, complementing Verizon’s $4.4 billion purchase of AOL in June, he notes.
Did Yahoo Respond Responsibly? “The first step is the forensics,” says Matwyshyn — that is “to make sure that the bleeding has stopped, the intruders are eliminated from the system entirely and the methods of entry used by those intruders have been mitigated and corrected so that the same kind of errors don’t recur,” she explains. “We will end up with a fact-specific inquiry” that will help determine if Yahoo exercised “reasonable care” or if it is guilty of “gross negligence,” she adds. Bhargava wonders if someone at Yahoo discovered the breach and decided not to announce it. “Why and who will be big questions that will come up,” he says.
Yahoo already faces user lawsuits over the breach. When exactly Yahoo discovered the breach will come out in the litigation, says Matwyshyn. She notes that the notifications that require companies to contact impacted account holders about data breaches within certain periods of time vary by state.
Investigations will also throw light on whether Yahoo officers and directors discharged their fiduciary obligations to the company and its shareholders as they responded to the breach, says Matwyshyn. The legalities of those aspects will get “more complicated” as the discovery of the breach occurred within a “transactional context” (the Verizon-Yahoo deal), she adds.
Options for Yahoo Users: Yahoo’s statement that the stolen information includes unencrypted security questions and answers is worrying, says Matwyshyn. “It should give consumers pause to think about the kind of information that we are giving away and those answers to security questions,” she adds. Hackers could use such information to gain access to customers’ other accounts, she noted. “Consumers should recognize that interconnection.” She also recommends that consumers could “come up with creative ways to minimize their own risks and the way they are answering those questions.”
Yahoo, on its part, has encouraged its users to review their accounts for suspicious activity, change their passwords and security questions, avoid clicking on suspicious links and consider using a new authentication tool called Yahoo Account Key.
“We have this ecosystem of security questions and passwords that is not great for a number of reasons.” –Andrea Matwyshyn
What Next for Online Security? The Yahoo breach “raises the question of whether our current system of passwords and security questions provides the best of all possible worlds,” says Matwyshyn. “We have this ecosystem of security questions and passwords that is not great for a number of reasons.”
Alternatives include one-time passwords, but “it is irritating and opens more channels for information to be leaked,” says Bhargava. Biometrics, too, will not work well because users cannot periodically change that information – such as fingerprints, says Matwyshyn.
Matwyshyn notes that some companies have introduced a two-factor authentication process where one relates to information the user already has, and the other is a rotating number the user must key in to gain access. In sum, authentication processes need more R&D, she notes. According to Bhargava, the need for passwords and answers to multiple security questions should no longer be required as more than 50% of users now access the web over their mobile devices.
‘Black Mark’ on Yahoo’s Mayer: Bhargava feels the breach episode is “a black mark” on Yahoo CEO Marissa Mayer. “Yahoo has been, in a sense, such a damaged and sick company, [and] Marissa [Mayer] was going to fix all of that,” he says. Since Mayer took over as CEO in July 2012, Yahoo has made multiple acquisitions that have failed to increase revenues, he adds. “The fact that this [breach] was not disclosed in time is clearly more of a corporate governance mark on her.” At the same time, he notes that it is not clear how much Yahoo is to blame for the breach itself, adding that “it could happen to anyone, and Verizon is no stranger to security issues.”