“What Took So Long?” – Why did Yahoo wait two years to release information on the hacking scandal which affect half a billion users?

The Yahoo hack serves an important piece of advice: that millions of email accounts are at high risk of hacking all the time.

More than half a billion Yahoo user accounts were hacked in late 2014, with 8 million of them being here in the U.K – yet the figure was only released a couple of weeks ago.

So why did it take so long for the world to find out about the Yahoo email hack?

There has been a serious look at Yahoo’s actions and their delay in releasing information about the hack affecting their users. Yahoo allegedly knew about the hack in 2014, but failed to bring it to the attention of their users and properly deal with it for two years.

There doesn’t seem to be any logical reason as to why they would wait so long.

Other affected users

Sky and BT customers could also be affected by the Yahoo hack as they use Yahoo’s email services. The amount of users affected could possibly have been reduced had they been notified earlier. Sky has notified customers via email for a password reset as well as releasing a statement on their website. Figures of the personal data being sold for on the dark web currently stand at £1,390, according to the Metro.

Nature of the hack

The hack saw millions of personal details hacked, including names, email addresses, telephone numbers, dates of births and passwords belonging to each user. The email network tried to provide comfort to the victims of the hack by reassuring them that credit card or bank account information were not taken. But this does not take away the question of whether Yahoo did enough to protect their customers’ personal details.

Questionable security

Before the hack in 2014, there were questions about the security of its customers’ data, according to the Financial Times. Investigations looking into the hack need to determine whether the personal information was stored without proper encryption. If that was the case then Yahoo may face questions as to why the lax in security for their customers’ privacy and personal details.

Security experts said that the company was using encryption systems and algorithms that were outdated and did not provide sufficient security. For a reasonably wealthy company, Yahoo surely cannot claim to have inefficient resources to protect their customers’ personal data. Some could say that, for their sheer size, their detection and prevention could have been far greater. But the issue is more than the hack itself – it is the failure of Yahoo to notify its customers.

Delay in relaying the information

The Chief Executive, Marissa Mayer, was made aware of claims of a security breach, but reportedly did nothing to warn users of the breach. What seems ironic is the fact that the company’s Chief Information Security Officer, Bob Lord, has now given advice on how to keep user accounts safe, and therefore reduce the risk of exposure. This could have been a valuable piece of advice two years ago. However, the ship has definitely sailed this dock. Maybe next time Yahoo and other online networks can learn from this lesson of notifying their users as soon as possible or close to the time of events, and not two years down the line.

Communication

It is how Yahoo react to situations and circumstances like this that could maintain the trust of their users. However, that does not seem promising for Yahoo as they held off on external communication for so long.

Well planned incident response procedures and effective communication are two factors that could be considered key to maintaining market confidence and containing the problem to one online account. I say this because usually people will use the same passwords over several accounts. The delay in notifying the users could have had serious consequences, as it could give the hacker enough information to access financial details on other online accounts.

Criticism

Mark Warner, U.S. Senator in Virgina, criticised Yahoo for the delay in publicising the information to its users:

“…while its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.”

Concerns have spread like wildfire and New Zealand’s Privacy Commissioner finds it “extraordinary” that it has only just been published.

There could have been an ulterior motive behind not releasing the information, but of course we may never know the truth behind this. All that can be said is that passwords can be changed, but security answers like a mother’s maiden name cannot. The hack and the delay in notifying the users may have easily compromised the security beyond a Yahoo email account.

Regulation and enforcement

There are many questions left unanswered: like, why there was such a delay in releasing information to their users? Why were there no automatic password resets? The reality is that organisations like Yahoo need to be proactive in their approach to safeguarding personal data, but I don’t think we have seen the back to this lax attitude of organisations unless security enforcement agencies intervene.

Regulators should press companies and organisations to keep an eye out and be speedy in their reactions to notify users so that, if the same passwords are used across multiple accounts, users can act accordingly to reduce their risk of further data breaches. UK and Ireland Officials have asked Yahoo to provide more details of the email hack, which could be to investigate whether Yahoo did enough to protect their customers’ details.

The repercussions may have a long-term effect on Yahoo’s users, but this could be a lesson to companies and organisations who fall victim to future hacking scandals.

“Medical records are the new hot commodity” – The scale of healthcare hacks are massive, with some 10 million medical records reportedly for sale on the ‘dark web’

“Big Brother Style Surveillance” – Yahoo allegedly handing over emails to U.S. Intelligence Officials