Yahoo No More - Penance For Poor Protection

Author:Ms Ailbhe Ní Bhriain and Bryan McCarthy
Profession:Ronan Daly Jermyn

A recent decision by a Californian court has ruled that Yahoo, now known as 'Oath', must face litigation as a result of failing to report the largest-ever cyber-attacks to date.

Yahoo, having been acquired by US multinational telecommunications company Verizon, will face litigation from over a billion users whose personal data was retrieved as a result of the attacks. Despite Yahoo asserting that the users did not have the requisite legal standing to commence proceedings, the court declared that the plaintiffs had an "alleged risk of future identity theft"1 and therefore had a valid interest in pursuing the company. It was also argued had disclosure been made by Yahoo at an earlier stage, steps could have been taken by the users to mitigate the losses suffered.

Attack One

The first major cyber-attack to hit Yahoo in 2014 was first disclosed in September of 2016 when email addresses, names and security information of over 500 million Yahoo accounts were stolen. This was the largest-ever cyber-attack recorded at the time. Despite the gravity of it, the hack only came to light two years later whilst claims that 200 million of Yahoo user records had been for sale on the dark web was under investigation.

This attack was largely blamed on the poor password protection method, known as 'MD5 hash', used by Yahoo. Dave Palmer, director of technology at cyber security company Darktrace, described the methodology as "extremely dated" and unsuitable for a company such as Yahoo to be using. 2

The September 2016 disclosure came two weeks after Yahoo released a statement that the company had no knowledge of any incidents of security breaches, unauthorised access or unauthorised use of its IT systems. 3 Fortunately for Yahoo and its victims, this attack did not unearth payment card data or bank account information of its users, as this was stored on a different network.

Attack Two

The second attack which resulted in hackers stealing personal data from more than a billion Yahoo accounts in August 2013 was disclosed in December 2016. The information accessed contained unencrypted security questions and answers. Yahoo then further confirmed that the data may have in fact included names, email addresses, telephone numbers and dates of birth. This subsequent failure to disclosure another significant breach lead to the beginning of investigations by the US Securities Exchange Commission and lead to the arrest of two officers of the Russian Federal Security...

To continue reading