The breach against Yahoo!, included exposing “the usernames, email addresses, phone numbers, birthdates, passwords and security questions/answers for at least 500 million Yahoo accounts” (NLR). This many accounts is a significant exposure and part of the reason the breach was hidden and minimal users were notified.
The company was fined $35 million from the SEC and $80 million from federal class action settlement (NLR). While these are significant amounts of money, I think this is a fair amount. The company was in an interesting place of knowing if they notified users that they would lose customers, but also risked that revenue in the interim and then later getting fined. I’m not sure fines will necessarily ever be effective until they become a large portion of a companies annual revenue, otherwise, they will always just be a slap on the wrist. I think there also needs to be more than fines to hold companies accountable. These types of issues are slowly being addressed in legislation like GDPR and the California Privacy Protection Act.
I do believe that Yahoo! Intentionally tried to cover up the breach. I think the sole fact that the company did not mass contact and inform it’s users of the breach shows that they were trying to hide what was occurring. The company notified 6 people of the millions of the breach. The National Law Review article states how the fines given to Yahoo! were the first time fines have been given to companies due to cyber attacks.This has been a continuing trend with the FTC holding companies accountable for breaches and privacy in general. In addition to fines, the FTC has been able to hold companies accountable for creating and maintaining security response teams.
I believe that Yahoo’s initial decision to not focus password resets was a significant mistake on their part. During the investigation process of determining if a breach has occurred or accounts have been compromised, resetting passwords is usually always a part of that process. Sometimes this is even just a good measure in the process, a “just-in-case”, try to reduce the possibility of if it is undetermined if the account was compromised, then at least a password reset reduces the chance that an attacker will be able to get in again. In this case where Yahoo! knew there were compromised accounts and stolen passwords and still did not force password resets is the epitome of a company not doing their due diligence and potential furthering their users to compromise; like if users use that same account information for other platforms.
References
https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far https://techcrunch.com/2018/09/06/alex-stamos-facebook-yahoo-security-officer/ https://fortune.com/2016/12/19/yahoo-hack-cyber-security/