In April of this year, the U.S. Securities and Exchange Commission (SEC) released the news that Yahoo! (Altaba) have agreed to settle a $35 million fine for failing to publicly disclose a data breach within an acceptable time limit. This is fairly historic, as it is the first time that the SEC have enforced a financial punishment for this sort of failure, claiming that it broke numerous federal security laws.
This incident further reinforces the need for companies to get a better handle on what their users are doing with their data. If you are the unfortunate victim of a data breach, you need to be able to determine which data is affected and notify the correct parties as soon as possible.
So, let’s take a look at what Yahoo! did wrong and see if there are any lessons that can be learned.
What Did Yahoo Do Wrong?
So, to refresh memories, back in 2014, state sponsored hackers from Russia managed to infiltrate database files containing the personally identifiable information (PII) of over 100 million users. The information they got their hands on included names, addresses, passwords, security questions, telephone numbers and more.
To make matters worse, Yahoo! failed to report the breach to their outside auditors or to the 100 million users whose PII had been stolen. Yahoo! also failed to report the breach to investors which, considering Verizon were looking to acquire the company, was both a breach of trust and SEC regulations.
Throughout the next two years, Yahoo! continued to be under attack from Russian hackers, with user credentials turning up all over the dark web. Although the CISO of Yahoo! did notify senior management that he believed the entire of Yahoo!’s database was compromised, they again failed to disclose the breach to the proper authorities.
Finally, in September 2016, Yahoo! announced that over 500 million user accounts had been compromised in one of the largest data breaches in recorded history. Once the announcement was made, Yahoo!’s stock price plummeted by over $1 billion and they were also forced to offer Verizon a sizeable discount of $350 million for the merger. A costly series of mistakes that were very avoidable.
What Should Yahoo Have Done?
It’s fairly simple really, once the CISO discovered the breach and correctly informed upper management that over 100 million user accounts had been hacked, Yahoo! should have immediately filed an 8-K (to inform investors about the breach) and notified their outside auditors/council to seek advice about disclosing the breach to those affected. The main reason that the SEC imposed the fine on Yahoo! was for not having “disclose controls and procedures” in place for doing just that.
In other words, the SEC require you to have an incident response plan in place for detecting and responding to potential breaches. Policies, guidelines and strict rules need to be put in place that guide all those key members of the organization in what to do.
What Do You Need to Do?
First things first, you need to ensure that you are able to detect a potential breach that could involve data containing PII. To do this effectively you will need to deploy a File Server auditing solution that monitor and alert on interactions with and modifications to sensitive data in your File Servers. You should be immediately aware, through real time alerts and pre-set reports, whenever any unwanted or unauthorized changes take place that could be indicative of a hack or breach. You also need to know who has access to your sensitive data and enforce a policy of least privilege to reduce the risk of insider threats.