To simply put it, no.
A major alarm bell was sounded when Yahoo announced 500 million of its user accounts were hacked back in 2014. Describing the act as carried out by a “state-sponsored actor” made everything worse and serious questions have been raised ever since. For example, why did Yahoo fail to inform the general public for the past two years? If it had been able to keep a lid on the entire story, why was it suddenly forced to reveal the whole ordeal on the verge of a multi-billion dollar takeover deal with Verizon? And now Verizon is demanding a $1bn discount in response to privacy concerns over allegations that Yahoo was hand in hand with the Obama administration by scanning all emails in 2015 based on a request placed by a U.S. intelligence agency.
Back in September Yahoo confirmed suffering a major data breach impacting at least 500 million users. There were also reports of even a higher number of hacked email accounts, as much as a whopping 1 to 3 billion. Data spanning from names, email addresses, dates of birth, encrypted passwords along with encrypted and decrypted answers to security questions were only part of the data stolen from Yahoo. Despite being encrypted, the additional data can easily be reused in other websites with schemes aimed at stealing people’s identities.
With the breach taking place back in 2014, it is hard to believe that a company as highly advanced and sophisticated as Yahoo was left in the dark and simply didn’t know about the entire ordeal for two years. Especially when the timing of this discover has severely impacted the highly lucrative, once supposed-to-be $4.8bn takeover deal with Verizon. With reports indicating senior Yahoo officials, including CEO Marissa Mayer learning about the breach in July, when the company was still negotiating the deal with Verizon, why did they keep it in the attic for two more months? Yahoo merely confirmed in August about hearing rumors and investigation was pending on the matter. However, why raise even more suspicions in September through a proxy statement attached to the sale with Yahoo claiming no third-party had ever raised any reservations about such a major hacking breach?
“To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems,” the statement reads in part. This just simply cannot be accurate as Yahoo had already claimed of learning about rumors in August.
Recent reports indicate the United States Senate also has many reservations on this highly controversial case. Senator Mark Warner, a Democrat from Virginia from 2009, has requested the Securities and Exchange Commission to probe Yahoo’s cybersecurity representations. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a letter. Needless to say that Warner is a co-founder of Nextel and a startup investor in the past, indicating he knows what he is talking about when probing the possibility of Yahoo not properly notifying the public, and its investors, in this regard.
“The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it,” Warner added in his letter. “I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems.”
While it seemed nothing could get any worse, Yahoo saw allegations being raised recently over succumbing to a demand raised by a U.S. intelligence agency to scan all its user’s emails in 2015. Once again Mayer has been found responsible, who reportedly had the final say on not fighting the intelligence agency’s demand in court and ordering the creation of a mail-scanning software. And all this was reportedly carried out without the knowledge of Yahoo’s security engineers. To add insult to injury, the surveillance project was not raised in Yahoo’s biannual transparency report that is responsible for documenting government demands for user information.
Although large breaches going undetected for long periods are relatively common in this industry (for example hacks against MySpace and Tumblr went undetected for years), the claims raised about Yahoo over security don’t add up properly. This is yet another case of security struggles in Yahoo’s portfolio. Remember how the company lost many C-level security executives before any talk about reaching a deal with Verizon.
One cannot deny the fact that investors, and the entire general public, let alone the at least 500 million, have the right to be informed about such controversial events impacting Yahoo. One can also easily argue that Yahoo’s first and foremost responsibility was to report these breaches as soon as possible and practice transparency, instead of placing its economic interests before the trust of its hundreds of millions of users.
Image: Daily Express