Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

No customer data leaks? Companies look down the rabbit hole

When Yahoo finally disclosed a massive 2014 data breach to up to five hundred million affected account holders in September 2016, some already had legal representation.

Leaks can be hard to stop. Just ask President Trump.

Companies have released financial reports that cite major security incidents but claim there was no evidence of a data breach (A.P. Moller-Maersk), loss of data that could affect payment card security (Yahoo) or third parties' or customers' personal account information (Fed Ex Corp.). How can they be so sure? Other organizations -- like Equifax, Yahoo and more -- announce data theft months or years after the intrusions, and their 'timelines' of what they knew, and when, about these data leaks face scrutiny.

Yahoo, now called Altaba, acknowledged personal account data leaks two years after the thefts took place and just months after the company had reached a $4.83 billion deal to be acquired by Verizon Communications. When Yahoo finally disclosed a massive 2014 data breach of up to five hundred million affected account holders in September 2016, some already had legal representation. Within weeks, Yahoo was facing data breach lawsuits from customers who claimed that the lapse in time to discover and disclose the data leaks had put them at risk of identity theft.

Things soon got worse. In December 2016, Yahoo officially disclosed a "second" data breach, claiming it occurred in August 2013 and exposed account information of up to one billion users. The company said it was contacted by law enforcement about the potential data leaks and could not determine how it occurred. CISO Bob Lord acknowledged in a blog to users: "We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data."

This past March, two lawsuits against the company also named Verizon -- which announced plans to acquire Yahoo's operating business in July 2016 and finalized the deal in June 2017 for an estimated $4.48 billion. As first reported in The Mercury News, the data breach lawsuits stated that the telecommunications company "aided" Yahoo executives' neglect of fiduciary duties by shaving $350 million off the initial deal with Yahoo while still allowing its executives to keep "golden parachutes" when the deal closed. Law firm Cotchett, Pitre & McCarthy, based in Burlingame, Calif., filed the lawsuit against Verizon.

Yahoo's handling of the massive data leaks also has the attention of the U.S. Senate. While this tangled tale ultimately benefited executives like former Yahoo CEO Marissa Mayer, who was estimated to make $186 million on the Verizon deal, the financial stakes around data protection for many companies are getting higher. Add cloud to the mix, and data leaks from misconfigurations -- as we reported earlier this year -- may lead to compromised servers. In July, 14 million records of subscribers accessing Verizon's third-party customer services may have been exposed by Israel-based Nice Systems. Reports suggest that employee mishandling of Amazon Simple Storage Service caused the breach.

With the advent of cloud and big data, analysts have started to point enterprises toward a data-centric security model. Jaikumar Vijayan reports on the issues surrounding these transitions in this month's cover story.

We also look at Verizon's "2017 Payment Security Report" for the latest numbers on interim PCI DSS compliance and the requirements that some companies struggle to meet.

While the Trump administration's lack of attention to U.S. cybersecurity has caused turmoil, some states are taking action. In August, Delaware became the second state, following Connecticut, to mandate that organizations that expose personal account information provide customers with one year of free credit monitoring.

Article 3 of 4

Next Steps

Find out more about data prevention products

Better ways to control and secure cloud access

Tips to keep Amazon S3 buckets secure

Dig Deeper on Data security and privacy