Yahoo could pay for breach negligence in lower-priced Verizon deal – USA TODAY
SAN FRANCISCO â Yahoo’s trouble over its massive data breach is far from over.
The first of what is expected to be multiple lawsuits linked to the breach was brought in San Jose, Calif. FridayÂ by a customer accusing Yahoo of failing to adequately protect his personal information from data breaches and identity theft. The suit seeks class action status.
Security and management experts are also questioning the timetable and disclosure process followed by Yahoo and its CEO Marissa MayerÂ in the two years since the breachÂ happened and two months after intense bidding rounds led to a planned sale of Yahoo’s core assets to Verizon Communications.
The hack could give buyer Verizon leeway to lower the $4.8 billion agreed in July â and perhaps even derail the deal.
“They (Verizon) are going to get a price discount,” said Robert Cattanach, a lawyer who specializes in cybersecurity and data breaches at Washington, D.C. firmÂ Dorsey & Whitney. “I would expect that there will be a fairly sophisticated effort toÂ quantify the materiality of the impact of this breach and thereÂ would be some sort and price adjustment.”
Yahoo on Thursday said that it had been the victim of a breach in 2014 in which atÂ least 500 million Yahoo accounts wereÂ stolen from the company in what itÂ thought was a hack byÂ a state-sponsored actor. The breach, which may have included names, email addresses, telephone numbers, dates of birth, andÂ in some cases, encrypted or unencrypted security questions and answers, isÂ one of the largest such thefts of its kind.
That it took so long for Yahoo to realize the hack had happened “seems to fall on the side of carelessness or negligence,” saidÂ Rahul Telang, a professor of information systems at theÂ Heinz College at Carnegie Mellon University.
Potentially more damning is the possibility Yahoo senior management knew about the intrusion but didn’t disclose it to users, investors or bidders.
TheÂ Wall Street Journal, citing an unnamed source, said late Friday YahooÂ Â executives had detected hackers in Yahoo systems in the fall 2014, believed linked to Russia. It wasn’t clear if that breach of 30-40 accounts was linked to the larger theft of information disclosed Thursday.
Could make Yahoo ‘worthless’
The cascade of revelations about the massive theft threatens to delay the merger, expected to close in the first quarter of next year.
Verizon, which beat out multiple bidders for Yahoo assets that include Yahoo Finance, Yahoo Sports, Tumblr and Flickr, said it only learned about the breach two days before Yahoo’s public disclosure.
“IÂ would [ask for a pause]Â if I was the buyer,” saidÂ Chris Bulger, founder of BostonÂ techÂ advisory bank Bulger Partners. “I would consider this a materially adverse change (a factor that could allow a party to back out ofÂ a sale) until my lawyer said donât worry about it.”
Bulger estimates that Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billionÂ âÂ more than Verizon’s $4.8 billion paying priceÂ âÂ making Yahoo “worthless,” he said.
The breach also highlights how cybersecurity is becoming a front-burner risk for business deals. Even a frequent acquirer like Verizon may have not done enough homework examining Yahoo’s vulnerabilities.
âWhile itâs common to perform IT diligence to consider the value or extensibility of assets, organizations can overlook how a security incident could change the value,â saidÂ D.J. Vogel, a partner in the security and compliance practice of Sikich, a professional services firm in Napierville, Ill.
The reparations, or payouts to affected customers for credit monitoring and other services, may be the sticking point.
In many cases, the cost of reparations for aÂ breach Â âÂ $158 per record,Â according to security research center TheÂ Ponemon InstituteÂ âÂ “surpassesÂ the value of the deal,â agreedÂ Steven Grossman, VP of strategy and enablement at Bay Dynamics, a computer security company.
Ironically, such reparations would bring Yahoo right back to where it was several months ago when its 15% stake in Alibaba accounted for nearly all of itsÂ market cap value of $33 billion. That reality led Mayer and the Yahoo board to agree to pursue a sale of the core business to extract value for shareholders.
Verizon could even call off the deal based on the findings of theÂ subsequent investigation.Â âThere are many shades of grey, depending on when Yahoo became certain of the breach,” Grossman said. “If they were certain of it in July, depending on the terms on timing of disclosures, it could become a deal breaker.”
Among those seeking answers are federal regulators, investors and, of course, Yahoo users, saysÂ Scott Kessler,Â an industry and equity research analyst withÂ S&P Global Market Intelligence. “There are a lot of questions to be answered,” he said. “Yahoo is going to be in a position to have to address some of those especially before the Verizon deal closes.”
Even if the deal continues to go through, the breach will slow the expected gains that Verizon hoped for upon Yahoo’s assimilation.Â âWith IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both partiesâ infrastructures and ultimately affect operational capability,â said Stephen Coty, chief security evangelist at Alert Logic, a security firm.
Perhaps the breach was very sophisticated, Telang says, or maybe with Yahoo facing concerns about costs and, over the past year, the process of selling its core Net business “this isÂ something that was a little bit on the back burner.”
Mayer came to Yahoo more than four years ago from Google with the burden of turning around a troubled company outpaced in digital advertising by Google and Facebook.
If it is revealed that Yahoo scrimped on security while Mayer annually made $42.1 million (2014) and $36 million (2015), that would add to criticism of her time at the helm.