Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach.
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.
Yahoo is still in negotiations with Verizon for the $4.8 billion acquisition of Yahoo; however, the announcement of this data breach will affect the deal if Yahoo’s valuation decreases.
As data breaches become more and more common, privacy officers and legal counsel must be diligent about protecting consumer data, and responding quickly to unauthorized disclosures of the data. Collecting and storing the minimum amount of data, only granting access to collected data to those who need it to complete their job functions, implementing an internal privacy policy, having and following a breach plan, staying up to date, and implementing industry best security practices are all ways companies can protect themselves and mitigate the results of a data breach.
Summary and Takeaways
-
Collect and store only the data you need
-
Embrace the principal of least privilege
-
Have an internal privacy policy that establishes controls for collecting, storing, and maintaining consumer personal data
-
Follow your breach plan to stay ahead of the breach
-
Use industry best security practices