SOME YAHOO STAFF KNEW ABOUT THE 500MILLION USERS’ DATA BREACH BACK IN 2014 DOCUMENTS REVEAL
Some Yahoo staff were aware of the firm’s massive data breach as long ago as 2014, newly published documents suggest. Back in September, the web giant admitted that a “state-sponsored actor” stole 500 million of its users’ account details in 2014, including their names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions and answers.
It was unclear at the time how long Yahoo had known about the breach, but new information has surfaced suggesting that some at the firm had known for years.
In a filing with the US Securities and Exchange Commission, it said: “The company had identified that a state-sponsored actor had access to the company’s network in late 2014.
“An independent committee of the board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the company in 2014 and thereafter regarding this access, the security incident, the extent to which certain users’ account information had been accessed, the company’s security measures and related incidents and issues.
“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.”
It added that it “recorded expenses of $1 million (£807,000) related to the security incident in the quarter ended September 30, 2016”. It said it had incurred investigatory and legal expenses and does not have cyber insurance.
“This ongoing saga from Yahoo has laid bare the true cost of cyber attacks,” said Neil Fraser, head of space and communications and UK manager at ViaSat.
“The real risk doesn’t necessarily come from loss of intellectual property or damage to business operations, but rather the ongoing harm to the organisation’s reputation.
“The cost might not be immediately apparent, but over time – or if the business is in a sensitive period – it could easily reach billions of dollars.
“The stakes are so high that organisations need to treat cyber attack not only as a threat but as an inevitability, as whether an attacker is a state or state-sponsored, a criminal enterprise or a single individual looking to boost their reputation, they can cause irreparable damage.”