Yahoo, the American technology company most famous for its use of a webportal to organize categories of websites and its contributions to early Internet search engine technology, announced today that at least 500 million user accounts were breached in a 2014 cyber attack. Data stolen by, what Yahoo believes are state-sponsored actors, include names, email addresses, telephone numbers, dates of birth, and hashed passwords. Breached data may also include account security questions and answers, however, whether or not that data was encrypted appears to be on an account-by-account basis. Yahoo was quick to note that its investigation into the data breach has not shown that the stolen data includes unhashed passwords or credit card or bank account information. This breach may be the largest data breach publicly disclosed and it comes on the heels of the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares fell after the announcement but analysts have noted that the acquisition is unlikely to be affected by the news.
Yahoo becomes another name on the long list of American companies that have suffered a high profile data breach since 2013. Target was famously breached in 2013 when more than 40 million credit and debit card accounts were compromised during the holiday shopping season. Home Depot was breached in 2014 and lost over 56 million credit and debit cards. And in March 2016, Verizon Enterprise Solutions, a division of Verizon Communications, reported a breach of 1.5 million contact records. While the Verizon Enterprise Solutions data breach was not considered as high profile as other recent data breaches, the fact that Verizon Enterprise Solutions sells security products and services, including breach cleanup and recovery services, is strong evidence that companies are converging into two categories: companies that have been hacked and companies that will be hacked again.
Privacy officers and a company’s legal counsel must be cognizant of and diligent about implementing the five most basic and fundamental truths to protecting consumer personal data:
-
Collect and Store Only Required Data. Sweeping up and storing data beyond what is needed in order to provide a company’s services opens the door for cyber criminals to access and expose more consumer personal data. A company’s leadership must think very carefully about what personal data it is collecting and why it is collecting it from its consumers – collecting and storing unnecessary personal data exposes consumers and the company to additional risk that is avoidable.
-
Embrace the Principle Of Least Privilege. The Principle of Least Privilege is a restrictive computing practice that only allows a user to access the data necessary for its legitimate purpose. By only giving the least amount of access privileges to employees, a company can minimizing the number of employees who will have access to consumer personal data, thus making the pool of employees who do have heightened access smaller and easier to manage.
-
Implement an Internal Company Privacy Policy. Having a privacy policy that establishes internal controls for who collects consumer personal data, how it is collected, where it is stored, and for how long it is stored is critical for protecting consumer personal data. The privacy policy should obligate every employee with access to consumer personal data to protect that data as well as obligating the company to provide annual training and updates to employees.
-
Follow the Breach Plan. When, not if, a company is breached, it must stick to its breach plan to stay ahead of law enforcement, regulators, the media, and further disclosure of consumer personal data. The breach plan should be written alongside the company’s internal privacy policy – the documents go hand in hand and work together to help control a breach. Employees must know what their roles are during a breach, when they must act, and who they need to contact when they discover a breach. Not having a breach plan can lead to a reactive response, which makes investigating and containing the effects of the breach more difficult.
-
Use Industry Best Security Practices. Above all else, following industry best security practices is the best way to protect consumer personal data. Having a chief information security officer, legal staff and/or information technology director staying on top of trends, events and changes is the only way a company can minimize the potential of a data breach, but also to decrease the amount of data that is breached. Implementing and maintaining an updated and secure corporate network may be costly and scare executive management into inaction, but the cost of cleaning up a breach is far greater than finding money in the budget to hire security-minded staff and to harden the company’s systems.
The next 5 to 10 years are going to be difficult for IT security professionals as the number of breaches increases, but embracing and preparing for the inevitability of breach are the first steps to recovery.
Summary and Takeaways
-
Yahoo, Internet tech company, announces data breach from 2014
-
Early investigation indicates the attack was led by a state-sponsored actor
-
500 million accounts breached
-
Collect and store only the data you need
-
Embrace the principal of least privilege
-
Having an internal privacy policy that establishes controls for collecting, storing, and maintaining consumer personal data is the first step to protecting sensitive data
-
Follow your breach plan to stay ahead of the breach
-
Use industry best security practices