Incident & Breach Response , Managed Detection & Response (MDR) , Privacy
Verizon Reportedly Demands $1B Yahoo Discount After Breach
But Breached Businesses Typically Face Few Long-Term Repercussions(Editor's Note: A new blog on the latest developments is now available.)
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Yahoo's failure to spot a massive breach of its systems in late 2014, leading to the theft of information relating to at least 500 million users, could cost the company's shareholders $1 billion.
Verizon in July made an offer to acquire Yahoo for $4.83 billion in cash. But a New York Post report, citing unidentified sources, says that Tim Armstrong, CEO of Verizon's AOL unit, "is getting cold feet" over the deal and now demanding a $1 billion discount.
One source tells the newspaper: "He's pretty upset about the lack of disclosure and he's saying 'can we get out of this or can we reduce the price?'" Apparently, the reports of Yahoo's compliance with a secret U.S. government order to spy on some email accounts isn't having the same effect.
Of course, this could just be tough talk designed to cut a better deal, although Verizon is also weighing whether it would need to set aside a $1 billion fund to deal with expected future liability related to the Yahoo breach, the newspaper reports.
Both Verizon and Yahoo declined to comment on that report.
Obviously, Verizon hasn't run away from the deal, so it believes it still has something to gain via the acquisition. By combining Yahoo with AOL, which it acquired 16 months ago for $4.4 billion, Verizon could challenge Google and Facebook for a bigger share of online advertising revenue.
Scant Long-Term Breach Repercussions
If Yahoo's sale price was slashed, however, it would be quite an unusual impact for a data breach. And the prospect is already being cited as a cybersecurity and privacy wake-up call.
"Could Yahoo's $1bn 'discount' be the most costly cyber event ever?" asks Surrey University computer science professor and cybercrime expert Alan Woodward via Twitter. "How much is privacy actually worth?"
Historically, the market hasn't punished breaches. "There can be some very pronounced short-term effects," said developer Troy Hunt, who runs the free Have I Been Pwned? breach-alert service, speaking Oct. 6 at the ScotSoft conference in Edinburgh, Scotland.
For example, London-based telecommunications company TalkTalk's stock price plunged in October 2015 as details about a data breach - its third one that year - began to emerge.
Here's how @TalkTalk stock has performed on London exchange before/after Oct. 2015 breach. (Source: Google Finance) pic.twitter.com/FN05FLDvsL
— Mathew J Schwartz (@euroinfosec) June 14, 2016
But relatively few businesses face long-term repercussions from a breach. LinkedIn, for example, is currently second on the Have I Been Pwned list of the biggest known breaches of all time - 165 million accounts stolen - and is in the midst of being acquired by Microsoft for $26.2 billion in cash.
What's a little historical mega-breach between business friends?
There are some exceptions. When bitcoin exchanges get breached and bleed cryptocurrency, for example, they tend to go out of business. So do some security firms. For example, Dutch certificate authority DigiNotar issued bad certificates in 2011 and subsequently went bankrupt. But other security firms that suffered breaches, such as Bit9 and RSA, are still soldiering on.
Still Fumbling the Basics
One truism about cybersecurity is that despite an organization's best efforts - having a clear security mandate from the top, maintaining a proactive information security posture and making appropriate investments in people, processes and technology - it could still be breached.
But many breaches have revealed that organizations failed to get the security basics right. This week, for example, the U.K.'s Information Commissioner's Office - the country's privacy watchdog - released the details of its investigation into TalkTalk's October 2015 breach. It found that the company's failure to catalog its IT infrastructure, apply a 3.5-year-old security patch to a MySQL database or block SQL injection attacks had allowed an attacker to steal personal data relating to 100,000 customers "with ease." As a result, TalkTalk was slapped with a record fine of £400,000 ($511,000).
The fine imposed on TalkTalk was "ridiculous," Hunt said. "It was .02 percent of their revenue, which is like the money they'd lose down the back of the couch and not even notice."
The ICO said its fine took into account TalkTalk's cooperation with investigators, subsequent security improvements, as well as it reporting in February that the breach had already cost it £50 million ($76 million) and led to the loss of 100,000 customers. The ICO can only impose a maximum fine of £500,000 ($615,000).
Bigger Fines Coming Soon
Beginning in May 2018, European privacy regulators can impose fines of up to 4 percent of a firm's global annual revenue or €20 million ($22.5 million) - whichever is greater - thanks to the EU's new General Data Protection Regulation.
Any business that has customers in Europe - such as TalkTalk and Yahoo - must comply with the new regulation, which also requires organizations to notify authorities quickly, if they discover they've been breached.
Whether the GDPR will lead more organizations to take security seriously - before they get badly breached - remains to be seen. But if that doesn't convince them, the potential $1 billion drop in Yahoo's sale price just might.