SEC Filing Indicates Yahoo Might Have Known About Data Breach in 2014

NEWS ANALYSIS: A new Security and Exchange Commission filing suggests that Yahoo may have actually known about a massive data breach that it first publicly acknowledged on Sept. 22 as much as two years earlier.

Yahoo Data Breach 2

Yahoo first publicly confirmed on Sept. 22, that it was the victim of a massive data breach in 2014 that impacted over 500 million users. In a new SEC 10-Q filing, Yahoo reported that in fact, it was possible that it was known within Yahoo in 2014 that the company had been hacked.

"An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company's security measures, and related incidents and issues." the filing states.

Yahoo's 10-Q also reveals new details on the initial financial impact of the breach. The filing reports that Yahoo recorded expenses of $1 million related to the breach in the quarter ended September 30, 2016.

That said, Yahoo's breach related expenses may yet rise as the filing also notes that to date, 23 consumer class action lawsuits have been filed against Yahoo in U.S. federal and state courts. The security breach also could potentially have an impact on Yahoo's pending $4.38 billion acquisition by Verizon.

Security experts contacted by eWEEK had a mixed response to the latest disclosure from Yahoo about the data breach and how look it took for the information to come to light.

Tom Kellermann, CEO of Strategic Cyber Ventures said that he's not surprised that Yahoo potentially knew about the data breach in 2014, but didn't make a full public disclosure until 2016.

"This aligns with the corporate culture of plausible deniability," Kellermann told eWEEK. Yahoo's brand "is inextricably tied to the trust and confidence her users place in the safety of the IT infrastructure. Disclosing would have resulted in reputational risk."

In contrast, Brian NeSmith, CEO of Arctic Wolf Networks said that it is inexcusable for Yahoo not to have notified users and the authorities about the breach when they knew about it. He added that hundreds of millions of people trusted Yahoo with their personal and private information and they had a duty to keep that information safe.

Cris Thomas, Strategist at Tenable Network Security also wasn't surprised that Yahoo potentially knew about its breach years before public disclosure. Thomas, previously better known in the security community as "Space Rogue," testified before a U.S. Senate Committee on internet security in 1998 while he was a member of the Cambridge, Massachusetts hacker group known as The L0pht.

"While most of the breaches are disclosed eventually, there are often questions as to whether or not the company released the information in a timely manner," Thomas told eWEEK.

Lessons Learned

While it's not yet exactly clear in the Yahoo breach incident who knew what and when, there are some lessons that can be learned by other organizations. Thomas commented that it is often difficult for information security professionals to clearly communicate the customer and business risks associated with data breaches.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.