September 27, 2016
In case you missed it, Yahoo recently announced that the personal information of over 500,000 of its users was stolen. This is quite distressing since I don’t think that anyone would be wild about the prospect of having their name, email address, date of birth and encrypted and unencrypted passwords in the hands of some malevolent strangers who probably wanted them for reasons other than to expand their Christmas card lists. What is, perhaps, somewhat more disturbing is that this information was surreptitiously obtained two years ago. Yes folks, 10% of the company’s user base information was absconded with back in 2014. The company is trying to rectify this by contacting all impacted users to tell them their accounts are being secured, and best of all, there’s no evidence that the attacker is still in the Yahoo network. As my mom used to say, “thank goodness for small favors”. Maybe I’m alone, but one has to wonder why they are only announcing this now and, how is this going to affect their $4.8 billion acquisition by Verizon?
Obviously, no one meant for this to happen—does anyone—and the company has stated that the attacker was a “state sponsored actor”. Unfortunately, as you might surmise, “state sponsored actor” isn’t a veiled reference to Trinidad and Tobago. While I can understand attributing the breach to the concerted efforts of one of the world’s most dubious regimes, does admitting that fact mean that your server security was only slightly better than Mrs. Clinton’s? Granted, the theft of the email addresses of John or Jane Doe isn’t on par with exposing the secret identities of CIA operatives, but each group is entitled to have their anonymity guaranteed, albeit for different reasons.
As is the case in events such as these, the scope of impact exceeds that of those directly impacted. Since Verizon was the one proposing this engagement, they are obviously concerned in the same way a potential groom is when he catches his best man sneaking out of his fiancé’s apartment at 3 AM. This is particularly evident when you review their statement regarding this unexpected bump in the road to “mergerdom”, “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities”. Roughly translated, this means, “Oh crap. Now what are we going to tell the board?”
Of course the folks at Yahoo are also concerned about having to make this ill-timed announcement—at least the ones with stock options. For example, Marissa Meyer, who is to CEO’s as defective rails are to train wrecks, stands to make $55 million from the merger is probably asking the same question that others in her position would, “How does this affect me?” In an act of contrition for this unpleasant occurrence, she’s said that she wants to stay on after the merger, thereby declining the aforementioned buy-out package. An action that I’m sure prompted more than one person on the Verizon side of the equation to ask themselves, “What’s the best way to say, ‘Thanks, but we’ve got it covered’?”
Certainly it strains credulity to think that it would take two years for a provider of over half a billion email accounts to determine that an uninvited guest took a romp through their system taking more than a few party favors with them, but as they say, “stranger things have happened”. Of course this does provide an answer for those wondering, “Why am I getting so many credit card offers from the Bank of Moscow?”, but I would suggest this is small consolation for those having to re-do all of their account information. Hacks like this makes you wonder if any of the information that you’d prefer not to share is really secure, but, more importantly, if 500,000 people were successfully kept in the dark about a violation of trust this large, does anyone really want to know? In other words, is it better to occasionally have to explain to the credit card company that “no, I didn’t have dinner at that restaurant in Patagonia on the 12th“ than regularly having to go through the hassle of updating access information for everything from our Visa card to the on-line bank? Apparently, the folks at Yahoo were literally banking on the latter.