3 Lessons for enterprise Businesses After Yahoo's Admission of a Massive Data Breach
Yahoo! faced a myriad of scandals during 2016. The company is facing a lawsuit after CEO Marissa Mayer was accused of illegally terminating male employees. However, the biggest problem the company faced was a recent data breach.
What can other large organizations learn from this fiasco?
Background of Yahoo!’s Data Breach
The Yahoo data breach allegedly occurred in 2014. However, the tech giant didn’t notify anyone until December 2016. Here are some pertinent details about the crisis:
- Yahoo! claims the breach was carried out by a foreign government. They didn’t name the government in their report, likely for political reasons.
- Many different types of user information were accessed, including emails, Yahoo! Messenger logs, phone numbers, addresses, birth dates and other personal details.
- The Federal Trade Commission estimates that 490,000 customers were affected.
- The hackers used a number of tactics to steal user information. They sent a variety of phishing emails, which included malware. They also relied heavily on social engineering, such as tricking people into visiting websites that were set up to install malware or trick people into handing over personal information.
- The exact intentions of the hack are still unknown.
This is one of the biggest data breaches in history. It was also shocking because it happened at a massive corporation. Here are some things that other large organizations can learn from it.
Large Organizations Are Popular Targets
According to the report, the hackers behind the attack were employed by a rogue government. They had to use considerable resources to hack the servers. They would have only targeted Yahoo! if they had a good reason.
The truth is that while small businesses are often targeted by hackers, larger organizations like Yahoo! are more likely to be hacked. Hackers are looking for valuable data they can profit off of. Large corporations are likely to have something of value, so hackers tend to focus on them.
Larger enterprises must take many precautions to keep their data safe.
Transparency is Highly Important
Yahoo! was allegedly hacked two years before making an announcement. They may genuinely have been unaware of the hack, but there is a strong possibility that they did. They could have waited for a while until things died down.
Whether Yahoo! was immediately aware of the problem or not, they drew a lot of fierce criticism for failing to more transparent.
"We're probably just going to dump Yahoo altogether," Rick Hollister a private investigator in Florida told Fortune. "They should have been more on top of this," said Hollister, 56. "I'm guessing a lot of people are going to be [expletive] off because they don't know what's out there."
Waiting until things “blow over” is never the best course of action, especially if anyone is put at risk. If customers’ credit cards or other personal information got into the wrong hands, they want to know so they can take corrective action. They also have a right to know whether they are at risk using your service so they can look for other options.
Nobody wants to admit they failed to prevent a security breach. However, things will be much worse if they don’t admit their failings as soon as they are discovered. Whether it is your web hosting or customer records in your SQL database, you need to let people know right away.
Current Authentication Measures are Inadequate
Yahoo! still uses challenge questions for authentication. These questions allow users to reset their passwords if necessary.
Unfortunately, challenge questions are a massive vulnerability, as Joseph Steinberg, CEO of SecureMySocial points out.
“You cannot reset your mother's maiden name. You cannot move your mother's birthday to a new date. And you cannot retroactively change the color of your first car, or the location at which you first met your spouse. Yes, people can memorize and utilize phony answers to such questions - but doing so simply transforms the challenge question into a demand for a second password, and, especially if you have to change that "password" more than once in response to multiple breaches, any remembrance benefit of asking a question over a password disappears.”
Unfortunately, people do forget their passwords, so you need a system to help them to reset. However, using challenge questions is clearly a big mistake, so enterprises should consult with a managed network security provider to come up with better security protocols.