From small, locally owned businesses to big organizations, malicious cyberattacks are on the rise; unfortunately, the costs associated with these cyberattacks are rising, too. Between 2013 and 2014, the cost of a corporate data breach rose by 15% to a whopping $3.5 million.
Organizations have a responsibility to keep their customers’ information safe — and when they don’t, those breaches need to be disclosed promptly. But it seems Yahoo has failed on both fronts, which has prompted the SEC to open an investigation into the matter.
Yahoo Inc. suffered two massive data breaches in recent years, traced back to 2013 and 2014. However, the company failed to disclose this information until December and September of 2016, respectively.
This inaction forced the Securities and Exchange Commission to open a case and request documents pertaining to the attacks. Since the SEC requires companies to disclose cybersecurity risks as soon as they are determined to have an effect on investors, the SEC aims to find out whether Yahoo was operating compliantly with civil securities laws.
The data breach that took place in 2014 compromised sensitive data belonging to at least 500 million users. Although Yahoo linked the incident to state-sponsored hackers at the time, they have yet to explain why it took them two years to publicly disclose the breach to the public, which occurred this past September. Three months later, Yahoo made public that they recently discovered a breach that took place in August of 2013 as well, which exposed the private information of more than 1 billion of their users.
Experts in the matter note that it’s too early to say whether the investigation will result in any disciplinary action towards Yahoo, but some speculate that the case could help to clarify legal timing rules, as the current guidance is lacking in its specific requirements. In so doing, the SEC would make clear what kinds of disclosures (or non-disclosures) violate the law.
But what happened to Yahoo is hardly rare. As the 2016 election showed, even experienced politicians can be brought down by amateur hacking techniques like phishing emails. Every day, an estimated 60 billion emails get sent, but up to 97% of those emails are spam. Not only that, but cybersecurity experts believe that at least nine out of 1,000 computers is currently infected by spam.
A recent Pew study showed that 64% of Americans have been victims of data breaches. Between our reliance on technology and a lack of safeguarding our personal information during online activities, it’s no wonder that this has become a widespread problem. Of those surveyed, 41% have found fraudulent charges on their credit cards; 35% have received notification that some sort of sensitive information had been compromised; and 16% found that someone tried to hijack their email accounts.
Despite these widespread risks, 49% of Americans say they write their security passwords down on paper, and 24% say they save their passwords in a note on their computer or phone. In addition, 41% of adults have shared one of their online account passwords with a friend or family member.
However, these widespread security breaches aren’t due to one customer’s lazy password practices. Even when consumers do everything right, if a company fails to have strong security measures in place, they can still fall victim to a cyber attack. Unfortunately for Yahoo, these attacks are incredibly bad for business. Yahoo experienced a dramatic drop in shares immediately after each disclosure.
The timing of the disclosures has also come into question, as they occurred after Yahoo had agreed to sell its core business to Verizon back in July.
“Here you are talking not just about the potential for a data breach, but a deal blowing up because of a data breach,” notes John Reed Stark, a cybersecurity consultant who was previously in charge of the office of internet enforcement at the SEC.
In November, Yahoo stated that it was “cooperating with federal, state, and foreign” agencies pertaining to the 2014 breach.