What Yahoo! hacking means for Verizon
Questions swirl about whether Verizon’s $4.8 billion deal for Yahoo!’s core business will be renegotiated, or happen at all
It was the kind of phone call no chief executive wants to make — or receive — in the middle of a multibillion-dollar deal. On Tuesday, Lowell McAdam, the head of Verizon Communications, was on the road. Marissa Mayer, the chief executive of Yahoo!, was at work in Silicon Valley. Executives at both companies were moving forward on Verizon’s $4.8 billion acquisition of Yahoo!’s core business.
But Mayer had some unexpected bad news. She caught up with McAdam and Marni Walden, a rising star at Verizon who is expected to oversee the Yahoo! business after the deal is complete, by phone, according to people briefed on the call, who spoke on the condition of anonymity.
Yahoo recently discovered that at least 500 million of its user accounts had been breached by hackers two years ago, well before the two companies began talks. Yahoo! and law enforcement officials were scrambling to unwind the intrusion.
After calling McAdam and Walden, Mayer phoned Tim Armstrong, who leads the AOL business at Verizon and will be overseeing the integration with Yahoo!, according to the people briefed on the conversation. Again, the news was not good.
The calls set off a flurry of questions at Verizon — How could this possibly have happened? Who was behind it? Why is it only becoming known now? Could this jeopardise the deal? — but also the sounding of an alarm and the deployment of a triage team to assist Yahoo!.
The telecom giant directed its online security experts, including Chandra McMahon, Verizon’s chief information security officer, to do their own investigation of the hack. And they enlisted the help of Verizon’s security division, part of its enterprise solutions business, which helps companies defend against and manage hacks.
Now, just a few days after Verizon learned of the breach, it is contending with the ramifications of what is believed to be the largest hack of a single company. Even as Verizon tries to assess the damage at Yahoo! and prevent further security intrusions, the scope of the hack and the potential fallout — including the possibility of a costly class-action lawsuit — are inevitably prompting renewed scrutiny of a deal that was intended to transform the telecom behemoth into a digital media powerhouse.
For now, Verizon has given no indication of whether the breach will affect its plans to acquire Yahoo. On Friday, the company declined to provide a comment beyond a statement it issued on Thursday, in which it said it would evaluate the situation “as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
Yahoo! declined to provide further comment on Friday.
The effort is complicated because the sales proceedings between Verizon and Yahoo! are at an early stage. Though teams from the two companies were already working together on integration plans, Verizon does not yet own Yahoo!. As a result, Verizon does not have direct access to the Silicon Valley company’s servers to conduct its own investigation.
In late July, after the Verizon deal was announced, Yahoo! became aware of a claim that about 280 million of its user credentials had been hacked, according to a person briefed on the specifics, who spoke on the condition of anonymity. Yahoo! started an investigation but could not substantiate the claim, this person said. It was not clear on Friday whether Yahoo! had made Verizon aware that it was looking into this claim in July.
During the course of that investigation, Yahoo! learned of the more severe breach, which it has said it believes was statesponsored. Yahoo! has not yet said exactly when it realised how large the intrusion was, leaving open the question of whether Mayer and her team waited to notify Verizon of the hack. Yahoo! is now working with outside security consultants and said its investigation was continuing.
Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.
“They could say, ‘This thing is huge. We want to walk away from the transaction,’” he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo!.
Such claims can be difficult to prove in court. According to Quinn’s reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo! employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information.
In the merger agreement, Yahoo! states that “there have not been any incidents of, or third-party claims alleging” security breaches or thefts of user data that might result in a major change to the value of the company.
More likely, Quinn said, Verizon could pressure Yahoo! to renegotiate the terms of the deal. “They go to court, or threaten to go to court, and renegotiate the price,” he said. “That can be a very winning strategy.”
Like any big company contemplating an acquisition, Verizon performed due diligence on Yahoo! before it agreed to the deal. It was not immediately clear, however, how seriously it took security issues during that process.
But Verizon would have known Yahoo! has a history of breaches. In 2012, Yahoo said that more than 450,000 user accounts had been hacked.
Such issues are increasingly pertinent to mergers and acquisitions.
Verizon is purchasing Yahoo! in the hope that the internet portal will make it a major player in the digital media business, positioning the company to compete with Google and Facebook for ad dollars. The biggest wireless carrier in the United States, with roots going back to the first telephone call in history, Verizon is facing declining revenue and is looking to Silicon Valley for growth.
Those motivations are unlikely to have changed in the course of two months. But it remains unclear whether this new information has made Yahoo! a less desirable acquisition target.
Some of Verizon’s executives have indicated they may be up to the challenge of a big hack. In a recent talk at Penn State University, McMahon, the telecom company’s chief information security officer, suggested that she relished the catand-mouse game between hackers and companies.
“I love security,” she said. “I love the offense and the defense of it. The bad guys are innovating just as much as the good guys in terms of their defense. Our job as defenders is to see all that.”