Breach Response , Data Breach , Risk Management
Verizon's Yahoo Breach Question: What's 'Material'? Don't Expect World's Largest Data Breach to Derail Verizon's Yahoo Buy Verizon says the sun isn't setting on its deal to acquire Yahoo. Photo: Mike Mozart (Flickr/CC)Verizon is reportedly awaiting the full results of a digital forensic investigation into the record-setting Yahoo data breach to ascertain whether it will revise its $4.8 billion bid to buy the search firm (see Verizon Reportedly Demands $1B Yahoo Discount After Breach).
See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics
But Verizon CEO Lowell McAdam said that in this era of mega-breaches, he was "not that shocked" to learn of the hack attack against Yahoo, given the ease with which attackers operate today, The Wall Street Journal reported.
Speaking Oct. 10 at the Internet Association's Virtuous Cycle conference in Menlo Park, Calif., McAdam emphasized that proper defenses must be in place, but said it's nearly impossible to avoid getting breached (see Verizon Confirms Breach Affecting Business Customers).
"We all live in an internet world; it's not a question of if you're going to get hacked but when you are going to get hacked," McAdam said, according to the news report.
McAdam also dismissed a recent report in the New York Post that Verizon was demanding a $1 billion discount on the price for acquiring Yahoo in light of the breach, which came to light after it made its bid for the company. "That is just total speculation - we still see a real value to the asset there," McAdam said, according to CNBC. "But in fairness, we're still understanding what was going on, to define whether it's a material impact to the business or not. But the industrial logic of doing this merger still makes a lot of sense ... I'm hoping we can get through all this stuff and get to the [deal's] close."
The "material impact" phrase is telling. That's a reference to U.S. Securities and Exchange Commission guidelines that require a company's management team to "consider financial, operational and other information known to the company" to identify - and detail - "trends and uncertainties that will have, or are reasonably likely to have, a material impact on a company's liquidity, capital resources or results of operations," according to an analysis published by Harvard Law School's Forum on Corporate Governance and Financial Regulation.
McAdam added that the investigation into the Yahoo breach - and presumably what senior managers knew and when - is at least halfway done. So for full results on any potential "material impact" that the breach may have had on Yahoo's value, stay tuned.
No Titanic Turn
For any Yahoo users looking for justice over so many details having been stolen and the delay in the details coming to light, however, don't hold your breath. Just once, it might be nice if corporate America had its data breach "Titanic" moment and a firm sank after suffering a hack attack, thus offering a cautionary lesson about the perils of under-investing in cybersecurity defenses or ignoring your security team's advice, as Yahoo CEO Marissa Mayer reportedly did when it came to the company complying - as well as how it complied - last year with a secret U.S. government directive requiring it to scan emails.
But aside from some breached cybersecurity firms and cryptocurrency exchanges, data breaches have rarely been fatal, and firms typically rebound, seeing no long-term effect on their stock prices, said developer Troy Hunt, who runs the free Have I Been Pwned? breach-alert service, at the Oct. 6 ScotSoft conference in Edinburgh, Scotland.
Having a Target Moment
But that's not the full breach story. "This premise that there's no long-term impact is right, but it overlooks that there can be some very pronounced short-term effects," Hunt said.
For starters, a company's stock price may take a short-term hit, and its reputation can get dragged through the mud, as happened to Target and TalkTalk as their CEOs were respectively grilled by Congress and Parliament.
Eventually, however, the inquiries and related furor usually dies down, perhaps replaced by a new focus on yet another big data breach that's just been discovered elsewhere.
Yahoo is now having its Target moment. Of course, Yahoo's plight is more complicated - it's in the midst of negotiations on its sale to Verizon.
But using past breaches as a guide, it's unlikely that Yahoo's record-setting data breach will derail the Verizon deal, or lead to a re-evaluation of the company or its prospects that results in any appreciable "material impact."
For anyone who cares about cybersecurity and breach prevention, it's a depressing reality: To the list of life certainties that you can't do anything about - death and taxes - just add data breaches.