Recovering from a data breach is as much about leadership as it is facing the damage to the organization’s brand and reputation from public scrutiny. Some try to bluff it out by saying as little as possible about the incident other than issue a notice that customers should change passwords and apologize.
Sometimes, however, more information leaks out. That’s what happened when the New York Times investigated behind the scenes of the huge Yahoo mail breach disclosed last week. How much it damages Yahoo’s brand is a question.
Unnamed current and former Yahoo employees — perhaps in hindsight — today complain new CEO Marissa Mayer’s priority when she took over the troubled provider was the user interface and not security.
“The ‘Paranoids,’ the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs,” says the article. “And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company’s products.”
While new chief information security officer Alex Stamos toughened defences and dispatched “red teams” of penetration testers to break into Yahoo’s systems and find weaknesses, the story alleges when it came time to commit big money to improve Yahoo’s security infrastructure Mayer “repeatedly clashed with Mr. Stamos” — including allegedly putting off buying intrusion-detection systems for Yahoo’s production systems.
The company also allegedly rejected an automatic reset of all user passwords if a breach was detected. The article says employees believe the move was rejected “for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.” Instead company policy was to lock out only email accounts where there was evidence a user’s password had been compromised until the password was changed.
By contrast, the article says, six years ago when Google discovered a penetration — allegedly by Chinese-based hackers — co-founder Sergey Brin “regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority.” Google “hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts,” says the Times article.
The article also quotes company spokeswoman Suzanne Philion saying Yahoo spent US $10 million on encryption technology in early 2014, and that its investment in security initiatives will have increased by 60 per cent from 2015 to 2016.
There’s still a lot that’s cloudy about the 2014 Yahoo attack involving 500 million accounts that was only recently discovered. Exactly how was Yahoo penetrated? Would more aggressive defensive measures have detected the breach? What does disclosure of the breach do to the proposed US$4.8 billion sale of certain Yahoo assets by Verizon?
According to the company’s CISO data stolen may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (most with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Apparently no unprotected passwords, payment card data or bank account information was affected.
However, Yahoo users who enabled two-factor authentication in 2014 may have been protected and limited the possible damage.