Breach may prove pricey for Yahoo in Verizon deal
SAN FRANCISCO Yahoo’s trouble over its massive data breach is far from over. The first of what is expected to be multiple lawsuits linked to the breach was brought in San Jose on Friday by a customer accusing Yahoo of failing to adequately protect his personal information from data breaches and identity theft. The suit seeks class action status.
Security and management experts also are questioning the timetable and disclosure process followed by Yahoo and CEO Marissa Mayer two years after the breach happened and two months after intense bidding rounds led to a planned sale of Yahoo’s core assets to Verizon Communications. Yahoo CEO Marissa Mayer.
The hack could give buyer Verizon leeway to lower the $4.8 billion it agreed to in July — and perhaps even derail the deal.
“They (Verizon) are going to get a price discount,” said Robert Cattanach, a lawyer who specializes in cybersecurity and data breaches at Washington, D.C. firm Dorsey & Whitney. “I would expect that there will be a fairly sophisticated effort to quantify the materiality of the impact of this breach and there would be some sort of price adjustment.”
Verizon and Yahoo declined to comment.
Yahoo on Thursday said it had been the victim of a breach in 2014 in which at least 500 million accounts were stolen from the company in what it expects is a hack by a state-sponsored actor. The breach, which may have included names, email addresses, telephone numbers, dates of birth and in some cases, encrypted or unencrypted security questions and answers, is one of the largest such thefts of its kind.
That it took so long for Yahoo to realize the hack “seems to fall on the side of carelessness or negligence,” said Rahul Telang, a professor of information systems at the Heinz College at Carnegie Mellon University.
Potentially more damning is the possibility Yahoo senior management knew about the intrusion but didn’t disclose it to users, investors or bidders.
The Wall Street Journal, citing an unnamed source, said late Friday its executives had detected hackers in Yahoo systems in fall 2014, believed linked to Russia. It wasn’t clear if that breach of 30 to 40 accounts was linked to the larger theft of information disclosed Thursday. The cascade of revelations threatens to delay the merger, expected to close in the first quarter of next year.
Verizon, which beat out multiple bidders for Yahoo assets that include Yahoo Finance, Yahoo Sports, Tumblr and Flickr, said it only learned of the breach two days before Yahoo’s disclosure.
Said Chris Bulger, founder of Boston tech advisory bank Bulger Partners, estimates Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billion — more than Verizon’s $4.8 billion paying price — making it “worthless,” he said.