In September 2016, Yahoo announced that it had fallen victim to a data breach originating in 2014, leading to information from over 500M accounts leaking, making it the biggest single-site data breach of all time. Details are still forthcoming but the information is reported to have included names, email addresses, dates of birth, hashed passwords, and security questions and answers. The consequences of an email provider data breach of this size will be felt for years to come. Most interestingly, however, is that Verizon is likely to suffer a large extent of the initial damage as they’re currently in the process of acquiring Yahoo for $4.8B. In this article, we’ll cover some of the most important details of the hack and how mergers and acquisitions (M&A) need to take into account cybersecurity risk in their M&A target assessments.
Yahoo Encrypts Passwords, Fails to Encrypt Secret Questions and Answers
According to Yahoo, a state-sponsored hacker was the culprit for the data breach. This announcement was made months after a hacker named ‘Peace’ was claiming to sell leaked information on 200M Yahoo users in hacker forums. This is the same hacker that was also selling the LinkedIn leaked information and has claimed to be a former member of a Russian cybercrime organization. In response to the breach and the announcement, Yahoo has reset affected users’ passwords and notified them by email, reminding them to also change security questions and answers as well.
Fortunately, Yahoo, in their official statement, noted that from what they know so far suggests that payment card data or bank account information has not been compromised and that the ‘vast majority’ of passwords were encrypted using bcrypt, a very secure cryptographic hashing algorithm we covered in our article on the Dropbox and Last.fm hack. There are a couple of worrying issues however.
- An uknown number of passwords were not hashed using bcrypt, making them easier to crack.
- Yahoo stated that, among the stolen data, were ‘encrypted and unencrypted security question and answers’
While Yahoo has invalidated the answers to unencrypted security questions, the fact that unencrypted security questions and answers were leaked creates a more complicated problem.
Because security questions and answers are usually an additional form of verification, for all intents and purposes, they are akin to passwords in their own way. Worse still, for some services and software, answering a security question is a way to bypass passwords, reset a password, or access an account. Hackers who now have email addresses and associated questions and answers can try to use the information to access other services by reusing the leaked information.
It’s commonly known how often passwords are reused, and security answers are likely to be reused as well. If there are patterns found within the answers, that information can further be exploited much in the same way that the most commonly used passwords are exploited. Unfortunately, it’s hard to know how victims of the data breach will be affected. Users, however, should change their Yahoo passwords, security questions and answers, and also be mindful that any shared passwords or answers among other services may be putting them at risk.
How Verizon’s Acquisition Deal Might Be Affected
As mentioned earlier, Verizon had agreed to pay $4.8B for Yahoo’s core business in July. However, they were not made aware of the data breach until the week of the public announcement. Verizon’s official press statement regarding the data breach is below:
“Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
Verizon’s statement makes it pretty clear that they are willing to make changes to the proposed acquisition according to their shareholders, customer, and consumers agents. Since the statement’s released, a flurry of speculation regarding the acquisition has propped up. A number of different outlets have noted that Verizon could easily renegotiate its initial purchase offering, with the Times noting that Verizon could invoke the MAC clause in their sales agreement. MAC stands for ‘material adverse change’ which could come into effect if a negative event or development occurs in the time between a deal signing and a deal closing.
More details surrounding the merger shows that Verizon currently does not have access to Yahoo’s servers to conduct their own investigation (giving them more evidence if they are looking to renegotiate) and that while they performed due diligence on Yahoo, the security aspect of their due diligence is not clear.
The Lack of Cybersecurity Due Diligence in M&A
Cybersecurity risk and due diligence is becoming an increasingly important part of the M&A process. A 2016 survey report published by WestMonroe partners notes that 77% of respondents said “the importance of data security issues at M&A targets has increased significantly over the last two years,” 80% said that cybersecurity issues were highly important when conducting due diligence, and 43% noted that potential complications for a post-merger integration is a top concern.
Looking deeper into the report, you can see some concerning findings that should be considered when performing due diligence on a potential target.
- 70% of respondents found compliance problems in their targets
- 40% found a lack of comprehensive data security architecture
- 37% found vulnerabilities to insider threats
These issues translate to real consequences, as 23% of respondents walked away from a deal because of data security issues found in a target and in a case similar to Verizon’s, 40% discovered a data security problem after an acquisition deal went through.
How To Prevent The Consequences Stemming From Poor Cybersecurity Due Diligence
It’s clear that Verizon isn’t alone in failing to perform the proper cybersecurity due diligence. In the same way that information security is increasingly important in all industries, M&A also needs to keep up with the role cybersecurity due diligence plays in M&A target assessments. Unfortunately, the same pitfalls that befall Third-Party Risk Management are also relevant for M&A due diligence. Assessments are often point-in-time, self-reported, and focused on compliance rather than security.
Organizations should be focused on more modern forms of assessments that take on a true ‘trust, but verify’ model, ensuring that assessments are independent and focused on data security in addition to compliance. M&A departments can learn a lot from our ‘Revamp Your Vendor Risk Management’ article series (see Part 1, 2, and 3 here) that outlines how to truly assess a third-party or potential target’s risk. These steps and principles aren’t only helpful for assessing a target prior to acquisition, but will also ensure that risk is mitigated on an ongoing basis.
The SecurityScorecard security ratings platform allows users to easily look at the security posture of any organization, whether an acquisition target or existing partner, providing on-demand security intelligence. For more information, request a demo below.