Dubai: Thursday night’s announcement that Yahoo had been hit by the largest data breach in history comes at a sensitive time for Yahoo, who are currently in the process of being acquired by Verizon. The telecommunications provider agreed to buy Yahoo earlier this year for $4.8 billion (Dh17.63 billion), with the deal not yet closed.
Verizon’s general counsel told reporters in October that the company believed the previous hack may constitute a “material change” in the deal.
News of the additional hack further jeopardises Yahoo’s plans to fall into Verizon’s arms. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off.
The telecom giant had hoped on Yahoo and its many users to help it build a digital ad business.
Verizon has said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the “new development before reaching any final conclusions.”
Spokesman Bob Varettoni declined to answer further questions.
At the very least, the security lapses “will definitely help Verizon in its negotiations to lower the price,” Avivah Litan of Gartner Inc predicted.
The breach is expected to renew calls for stricter regulation regarding data privacy.
According to Nader Henein, regional director of Advanced Security Services at BlackBerry, the GDPR (General Data Protection Regulation, a new EU legislation) needs to come in to force sooner than mid-2018. “Right now when there’s a breach, no one knows.
“There is no regulation that requires businesses to tell people of a breach. We need more transparency,” he added.
The new legislation will require companies to disclose breaches to the regulator within 72 hours of the incident. The maximum penalty that can be imposed on a company for a breach of customer data is $2.08 billion.
Under current EU directive 95/46/EC, the maximum fine is $100,000 per incident. Penalties in the US are much weaker.
It is not currently known how many of the breached accounts were based in the GCC, but when Yahoo acquired Maktoob in 2009, the company announced that the deal would unite “Yahoo’s 20 million users from the Arab world with Maktoob’s 16 million”. It is unclear how many of these users had email accounts.
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure, as Yahoo said they were scrambled twice — although hackers have become adept at cracking secured passwords.
The fact that Yahoo were either unaware, or chose not to report two breaches of record scale will only intensify the criticism they have faced since September’s announcement.
Security analysts said the 2013 attack was likely the work of a foreign government fishing for information about specific people, although this claim has been disputed by some experts who cite a lack of evidence and motive.
Nonetheless, it doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.
Yahoo closed its last Middle Eastern office in April 2016, laying off close to 100 Dubai-based staff in the process.
