Yahoo & The Price of Breaches
In the Court of Public Perception, the size and scope of the Yahoo! Breaches from 2013 to 2016 have been overshadowed by the Equifax breaches and US election breaches of 2016. However - at the time of writing - Yahoo! objectively remains the largest breach of customer information in history. And they are far from settled.
In this briefing, we will take a look at what the long-term aftermath of what a major data breach looks like.
A quick recapitulation
In July 2016, Yahoo! discovered, and then reported that it had fallen victim to cyber attacks since 2013. The total scope of accessed customer data remained uncertain for quite some time but is currently estimated to have affected 3 billion user accounts. At the time the breaches were publicly revealed, Yahoo! was in the process of being acquired by Verizon. Due to incident, the latter was able to negotiate a $350 million discount on the purchase price. This discount was one of the first directly measurable financial losses due to cyber security failures.
What happened since then?
In response to the breaches, Yahoo! was fined by the US government for disclosing the breaches too late. At the same time, the company - or rather the companies that now owned Yahoo! - faced 23 separate lawsuits brought by affected users. One of the largest of the suits (which reached class action status) is currently in the process of being settled. After several rounds of negotiations and proposed settlements that judges refused to approve, the company is currently offering $117.5 million in compensation. Even at this relatively high figure, it remains to be seen if the settlement offer will be approved.
The cost of breaches
Whatever the size of the final settlement, it is certain to impact how breaches are handled in the future. The past 10 years have seen responses to data breaches go from “too bad, but what are you going to do?” to governmental actions and hundreds of millions of dollars in fines. With several countries and legal blocks implementing strict data protection legislation such as the EU’s GDPR, this trend is likely to continue.
We estimate that the cost of breaches imposed by governments and courts will continue to climb for the foreseeable future. However it remains to be seen if these steep fines can ultimately create an environment where companies and individuals create secure IT infrastructure.