It’s almost inconceivable that Yahoo! suffered a breach of over 500 million user accounts, and it wasn’t even detected by Yahoo’s management team until years later. Yet here we are.
First Published 2nd March 2017
"Database backups have been leaked"... yeah, um, that should be fine, right?
3 min read | Reflare Research Team
Yahoo! Inc., which has been hit by a string of data breaches in the past years, filed its annual report with the Security and Exchange Commission this week. While the financial disclosures of companies are not usually the focus of this briefing, the public nature of the company combined with its recent bid for acquisition and the mentioned leaks lead to the report offering a rare glimpse into how a breach can be insufficiently mitigated even in a company with a dedicated security team.
The relevant passages can be found on page 47. They state that an independent investigation concluded that Yahoo’s security team was aware of breaches as early as 2014 and took adequate steps to inform management. While the investigation found no signs of intentional information suppression it could not determine if people outside of the security team fully comprehended the impact of the breaches.
This pattern is surprisingly common. From the perspective of information security experts, statements such as “database backups have been leaked” convey a lot of urgency. After all, database backups may contain all sorts of critical information such as user records, credit card numbers or cryptographic keys. However, these implications are not necessarily known to non-technical staff. If a report merely mentioning the leak of database backups is submitted to upper management, there is a high chance that it will be ignored.
Something similar seems to have happened in Yahoo’s case. The initial reports did not lead upper management to take adequate action to investigate the leaks and prevent further leaks from happening, thus apparently leading to the string of security incidents Yahoo faced in the following years.
To avoid similar patterns, organizations are advised to take two courses of action:
-
Security teams should always include an impact analysis written in plain, non-technical language when submitting reports to upper management. The impact of breaches is often too technical to be estimated by non-technical staff.
-
Non-technical staff, including managerial staff, should be trained in the basics of information security. While the task of identifying and mitigating incidents has to be performed by specialists, a basic understanding across the workforce is critical to avoid failures of communication.
As digitalization, and information security with it, continues to grow in importance, making sure that security specialists and non-technical staff communicate efficiently will become more and more critical.