1.

2 CASE ANALYSIS

Ethical Issues

Low security in Yahoo caused a major security breach on August 2013 which brought about

several ethical issues within the company and the customers. Billions of yahoo customers and

employees had their private information stolen and exposed publicly and sold in the dark market

in Eastern Europe. The hack exposed names, email addresses, telephone numbers, dates of birth,

encrypted passwords and unencrypted security questions.

The several blaring ethical issues that can be identified in this security and data breach was that

attackers accessed and steal names, date of birth, phone numbers, backup email addresses,

password information and possibly the question-answer combinations for security questions,

which are often used to reset passwords. However, Yahoo informed the general public that

information stolen did not include bank payment card or any bank information in general.

Yahoo disclosed that forensic experts were investigating the creation of forged cookies that

could allow these cyber criminals (hackers) gain unauthorized access to several accounts without

a password. Based on the investigation carried out by forensic experts, they believe an

unauthorized third party accessed their proprietary code to learn how to forge cookies. The

forensic experts identified user accounts for which they believe forged cookies were taken or

used and yahoo said they invalidated those forged cookies notified the users.

“In March, the Department of Justice charged four men, including two Russian intelligence

officers, with the 2014 breach. Investigators said the Russian government used stolen Yahoo data

to spy on a range of targets in the United States, including White House and military officials,

bank executives and even a gambling regulator in Nevada” (The New York Time).
 According to security firm InfoArmor, the Yahoo database was sold for $300,000 on the dark

web. Unfortunately, at least three different buyers, including two “prominent spammers” paid the

hacker to gain the entire information and likely used it in infiltrate user activities.

Legal Compliance Issues

Yahoo did not immediately inform their users and employees about the unauthorized activities

that took place in their account (stolen information), Yahoo appeared to have just kept quiet

about the whole situation. The closest thing to an explanation from the company is that there was

an ongoing investigation. It may also be illegal given laws in 47 states that require companies to

alert consumers when they’ve been hacked. The notice periods vary from place to place. In some

states, companies are required to notify customers about any form of data breaches within 30 or

45 days, while other state require the company to notify or inform their customers as soon as

there is a confirmed breach in their system.

In U.S. District Court in San Jose, Plaintiff Ronald Schwartz, of New York, filed a second class-

action suit over the hack after he noticed that personal information was stolen. His suit calls

Yahoo treats of user information or data in a very unconcerned manner and asserts that deduced

evidence indicates that Yahoo knew of the breach long before it was finally disclosed. The

lawsuits refer to research indicating the average time to identify a hack is 191 days and the

average time to contain a breach is 58 days after it’s discovered.

Societal and Cultural Impact

Cyber-attacks are common in today’s technological age. A successful cyber-attack can cause

major damage to an organization and affect customer trust in that organization. The amount of

societal and cultural impact that a cyber-attack creates depends on the magnitude of attack and
the amount of media attention it attracts. The Yahoo breach in 2013 was an extensive attack that

created a large amount of frenzy because it is one of the most popular email services used. This

breach forced many users to rethink their own data security and privacy settings.

Germany’s cyber security authority criticized Yahoo for failing to adopt adequate encryption

techniques and advised German consumers to switch to other email providers.

Billions of people directly and indirectly affected by this breach in data lost faith in technology

which discouraged growth in usage of technological devices and databases, however, those who

continue to use technological devices must educate themselves more after such attacks.

Yahoo recommends that users who haven't changed their passwords since 2014 do so. Cyber

security experts say this is the necessary first step. Security experts also recommend signing up

for two-factor authentication, make sure passwords are complex and unique, make all software is

up-to-date and patched, use different passwords on different accounts, a lot of individuals use the

same password on different services and accounts which is not advised. Individuals should also

be aware of unusual activities that occurs regularly in their accounts and lookout for unusual

friend requests, requests to reset a password and anything out of the ordinary.

1.3 INCIDENT IMPACT

Regulations

The Yahoo data breach was a serious wakeup call for many users. Seeing the magnitude that one

attack can do created hysteria in the industry. Companies should spend more on technological

firewalls and employee training. First, organizations who are the targets of attacks must take the

lead by adopting best practices that make it harder for a hacker to enter and move within

networks.
Some of this practices include limiting administration access to system by giving privileges to

certain amount of employees who can access sensitive document, creating authentic passwords

for privilege account by encrypting all stored credentials or data so that passwords are

uncrackable even when stolen, extend IT security awareness training for employees in the

company, limit applications that are not know by restricting the organization network from

access applications that are not work related and lastly protect all user password within the

organization with good security practices by enforcing multi-factor authentication, which means

an additional PIN is sent to another device that needs to be entered.

The following day after yahoo announced the data breach their stock price dropped by 3%, and it

lost $1.3 billion in market capitalization. Several states, such California, New York, and

Massachusetts, have data privacy and protection laws that govern any business activities within

the state, whether the companies are located there or not. Each law typically has a clause

requiring reasonably prompt notification of consumers that their data had been breached.

Industry Standard

In 2008, Carnegie Mellon University’s Software Engineering Institute issued a public warning to

security professionals through a U.S. government funded alert system about the vulnerability of

MD5 systems, they said that MD5 is a cryptographically broken and unsuitable for further use.

Despite the waring given to the general public about MD5, yahoo continued to use it and later

confirmed that at the time of the breach, MD5 was still in use. Yahoo ‘s security operations

grappled with business challenges according to five former employees and some outside security

experts. The timing of the attack might seem like bad luck, but the weakness of MD5 had been

known by hackers and security experts for more than a decade. MD5 can be cracked more easily
than other kind of algorithms. “MD5 was considered dead long before 2013,” said David

Kennedy, chief executive of cyber firm TrustedSec. “Most companies were using more secure

hashing algorithms at the time of the incident. Yahoo, which has confirmed it was still using

MD5 at the time of the attack, disputed the notion that the company had skimped on security”.

The former Yahoo security staff informed Reuters that the security team was turned down

several times when they requested new and improved tools and features that can be used to

strengthen cryptography methods, but their request was denied on several occasions with excuses

like the cost of implementation, complicated algorithms or were simply too low a priority.

Today’s security landscape is complex and ever-evolving, Yahoo now have a deep

understanding of the threats facing their users and will continuously strive to stay ahead of these

threats to keep their users and their platforms secure by getting better secure algorithm and

taking important security precautions. In the summer of 2013, Yahoo launched a project to better

secure sensitive information of its customers, abandoning the use of a discredited technology for

encrypting data known as MD5.

In 2015, security crew discovered a hidden program attached toYahoo‘s email servers that was

monitoring all incoming messages, their first thought was that the Russian hackers had come

back but it turned out that the program has been secretly installed by Yahoo email engineers to

comply with the secret surveillance order requested by the U.S intelligence agency. If they were

able to detect the hidden program it means that they have strengthen their network security and

are now always monitoring the network to avoid the repeat of the 2013 breach incident
Cultural Impact

Attacks like this are not felt physically but they are felt socially, emotional and psychologically.

People become paranoid that their important documents or personal information are not safe and

that they are vulnerable. This attack creates awareness amongst individuals and in companies

which in a way creates better regulations and gives policy makers more information when

creating legislation on cyber security.

Yahoo said they are now fully committed to keeping user information secure by staying ahead of

new threats. Yahoo now have a deep understanding of the threats facing their users and

continuously strive to stay ahead of these threats to keep user and company platform secure.

Hopefully this is the last breach Yahoo will experience and must come clean about, but it will be

difficult for the company to salvage consumer or corporate trust, especially since the full

repercussions of these incidents are still not known. Question like “How do we know and how

can we be sure that Yahoo actually kicked the bad guys out when they had three years to bury

themselves in that system” are still asked regularly among users.

Paganini, Pierluigi. “Yahoo Hack – All 3 Billion Yahoo Accounts Were Hacked in 2013

Attack.” Security Affairs, 4 Oct. 2017, securityaffairs.co/wordpress/63813/data-breach/2013-

yahoo-hack-3b-accounts.html.

James Rogers, “Yahoo confirms more than one billion accounts compromised in massive data

breach” December 2016

https://www.foxnews.com/tech/yahoo-confirms-more-than-one-billion-accounts-compromised-

in-massive-data-breach

reuters. “Why Yahoo's Security Problems Are a Story of Too Little, Too Late.” Fortune, 2016,

fortune.com/2016/12/19/yahoo-hack-cyber-security/.

Baron, Ethan. “Yahoo Hit with Class-Action Lawsuits over Massive Data Breach.” The Mercury

News, The Mercury News, 24 Sept. 2016, www.mercurynews.com/2016/09/23/yahoo-hit-with-

class-action-lawsuit-over-massive-data-breach/.

Sands, Geneva. “What Consumers Need to Know About the Yahoo Security Breach.” ABC

News, ABC News Network, 23 Sept. 2016, abcnews.go.com/US/consumers-yahoo-security-

breach/story?id=42318594.
Vishwanath, Arun. “Data Security Not Just about Yahoo.” CNN, Cable News Network, 30 Sept.

2016, www.cnn.com/2016/09/30/opinions/yahoo-data-breach-vishwanath/.

Sherman, Erik. “Did Yahoo Break Any Laws with the Massive Data Breach?” Inc.com, Inc., 10

Nov. 2016, www.inc.com/erik-sherman/did-yahoo-break-any-laws-with-the-massive-data-

breach.html.

Olavsrud, Thor. “5 Security Practices Hackers Say Make Their Lives Harder.” CIO, CIO, 26

Aug. 2016, www.cio.com/article/3112740/security/5-security-practices-hackers-say-make-their-

lives-harder.html.