Yahoo has confirmed a large-scale data breach of their systems in 2014, and that the 500 million user records have been lost. We speak to the cyber security experts to discover what this could mean for businesses and ordinary people.

YahooJames Lyne, global head of security research, Sophos:

“We continue to see even the biggest companies breached by cybercriminals looking to gain access to the private information their users provide to create a profile, including their password, date of birth or security question data. Cyber criminals are very proficient at using such data to commit broader fraud, so the ramifications of such a breach can extend well beyond e-mail.”

Mark Skilton, a professor of practice at Warwick Business School and an expert on cyber security:

“While it’s not a surprise to hear the magnitude of users that have been corporate hacked – after all the rise of the digital business means everyone is more or less online these days – what is shocking is the date, 2014, and the sense of resignation that some may have to the event. This is far too late for professional cyber security risk management and certainly from the organisational practices inside a company like Yahoo! that one would expect.

“The other factor is the legal impact for Yahoo! from the reputational impact and liability in losses for customers. This could yet be significant and a headache for Verizon in its planned imminent takeover of Yahoo!.

“The lateness of the attack discovery, a whole two years, and the indication that it was a government state sponsored attack suggests both a highly professional stealth attack or perhaps some failure in basic perimeter monitoring by Yahoo!’s internal security practice.

“Either way, serious questions on internal checking of data breaches must be addressed. There will be a significant internal review in Yahoo! and Verizon to develop a turnaround plan for this hack, but it also suggests a need for a stronger perhaps government and industry role needed to increase cyber protection in the light of the rise in more stealth attacks.

“The infamous Russian bank stealth attack had a similar slow burn attack from an undetected stealth attack that resulted in an estimated 1 billion euro loss from several banks.

“This Yahoo! situation is not that level of financial loss, but the impact and rise of huge cyber-attacks will need stronger cyber responses.”

Joe Hancock, cyber security lead at Mishcon de Reya, said:

“This is a huge loss of 500 million records which has gone seemingly undetected for over eighteen months. 200 million records have been offered for sale since August, and may have come from a previous data breach. Attributing this breach to a state actor is unusual, as such a large data set would usually be targeted by criminals. Yahoo has moved quite slowly to confirm the breach and to put protective options in place, although the sheer scale of data lost is hard to comprehend.”

“The release is likely to increase the use of the stolen credentials for other online services, or where a similar password has been used. The fact that security questions and answers were lost is also concerning, as they are often common to many services – it’s hard to remember to change your mother’s maiden name or first pet. There are likely to be more historical breaches coming to light in this manner, although they may not be attached to such a large brand.”

“This comes at a difficult time for Yahoo, as it may affect its upcoming sale to Verizon. After the 2013 data breach at Target, legal claims ran to millions of dollars and continued for several years. In the case of TalkTalk, the share price fell by 11.5%, before recovering. Breaches like this hit a business’ balance sheet.”

Jamie Graves Ph.D, co- founder and CEO of cyber security company, ZoneFox.com

“Yahoo, which was recently acquired by Verizon, has stunned the world by announcing what is thought to be the largest data-breach to-date. 500 million user records are thought to be have been lost, with at least 200m already confirmed for sale on the Dark Web. 

“Yahoo claims that it was compromised be a nation state, which means that a hacking team with the resources of a government had penetrated their defences. This type of attack is often difficult to defend against, and a number of other well defended organisations have fallen victim to this type of attack. 

“Although the size of the breach is staggering, what has stunned the industry most is the fact that it has taken Yahoo 2 years to disclose. In this time, a great deal of additional harm will have occurred to the comprised accounts ranging from account hijacking through to identity theft and fraud. 

“The Yahoo attack highlights the reason why good detection capabilities, aligned with laws that force this form of disclosure in a short period, such as the GDPR, are crucial to help protect personal information. Furthermore, organisations must not only have rigorous Cyber Security measures in place but also a disaster recovery plan to respond immediately to a breach if the, sometimes, inevitable occurs.”

Nicola Fulford, head of data protection & privacy at technology and digital media law firm Kemp Little:

“Why has it taken so long for Yahoo! to become aware of the breach? Serious questions need to be asked about the effectiveness of the security measures and information governance structures in place.  Just talking about the breach has revealed a number of people who had their Yahoo! accounts hacked in 2014.  Under the new GDPR law breaches will have to be reported without undue delay and at least within 72 hours of becoming aware, fines may be up to the greater of EUR20 million or 4% of global turnover and late notification of a data breach could of itself attract a fine.  

“Passwords can be changed but factual answers to security questions (such as mother’s maiden name) can’t be.  Knowledge of security answers could give hackers full access to email and other accounts, which contain details of a whole host of sensitive information about finances, health, family and career.  This information would enable anyone with access to build a detailed picture of someone’s life and enable I.D. theft. The current ICO criteria for expecting a data breach to be reported to them considers the sensitivity of the data and the volume of data –  the Yahoo! breach ticks both boxes.

“The recent tribunal decision relating to the TalkTalk breach held that customers raising detailed complaints can give sufficient awareness to a company of breach.  Under mandatory breach notification rules they do not have additional time to then carry out their own investigations before being obliged to notify the breach.  Whilst Yahoo! may not be subject to the same mandatory laws as TalkTalk currently, in light of the Verizon deal, they may still regret not being more open with their customers (and the ICO) earlier.”