Reading:
Yahoo’s CISO responds to data breach questions
Share:
technology

Data Leak Lawyers - Begin Your Data Breach Claim Today!

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Yahoo’s CISO responds to data breach questions

Sometimes the Chief Information Security Officer’s (CISO) role is hidden in the shadows, and they may generally be unheard of. However, Yahoo’s CISO, Bob Lord, has been in the limelight in recent years after two massive data breaches – arguably the biggest ones in recent history – that affected approximately a billion and a half of Yahoo’s users.

Mr Lord made jokes during an interview at TechCrunch Disrupt New York saying that he “may have broken a record” for the amount of emails sent. The email that circulated was to inform users of the breach.

Not sure the rest of us are finding this funny…

Two grave data breaches

There were two breaches; the first was disclosed in September 2016 where 500 million accounts were reportedly hacked. The second was disclosed just a few months later where reports confirmed that approximately 1 billion accounts were hacked.

To date, Yahoo seem to have been unable to find the source of intrusion; details of how it happened and who was responsible for it. It could’ve been as a result of the 2014 cyber-attack, although Yahoo say there isn’t enough evidence to comment further on this point.

Notifying users – why did it take so long?

When asked how he felt when informed about the breach, Mr Lord likened the feeling to a weird parallax and trying to put the different pieces together was no easier.

Hackers reportedly broke into the system in 2014, but it took over 2 years for Yahoo to publicly disclose this. What was the reason for the delay in detecting or disclosing the cyber-attack? Mr Lord noted that campaigns can run for extended periods of time, saying that the breach wasn’t a “smash and grab attack; these are long-term plays”. He continued to note that, when they figured it out, they were interested in understanding the nature of cyber-attack.

Serious lessons need to be learned. Mr Lord gives his word that there has been a number of changes that have refined its security programme; saying they now have a group of experts working at Yahoo called the Paranoids who know what they’re doing to clamp down attacks.

Indictments

Four people have been charged; three Russians and one Canadian. But the question to ask is how they were able to go that deep into Yahoo’s systems to start with.

Mr Lord admitted that it was due to long-term compromises, and also said that the cyber-attackers must’ve worked hard to fly under the radar and gain access to the system that they were tasked with. More surprisingly, Mr Lord seemed to praise their professionalism by noting that they were “skilled individuals”.

The CISO didn’t seem to answer the question posed of how the cyber-attackers actually accessed the system. Instead, he answered: “I’m not going to go into technical details.” This may feel like a deflective strategy used to avoid answering the question, but he vaguely listed how attackers gain access to cyber-security systems:

  • See what servers are out there
  • See what compromises there are on the system to make an initial intrusion
  • Elevate privileges
  • Operate laterally. They have to move from machine to machine to find what they’re looking for. Each one requires different techniques and tools.

Are breaches of this nature possible in the future?

At the end of TechCrunch, Mr Lord was asked:

…how does he know that there still isn’t a hacker in their system?

Mr Lord couldn’t 100% confirm there wasn’t as he said it was trying to prove a negative, but he said Yahoo has built-up circumstantial evidence to show that the cyber-attacks that took place before just aren’t possible any more.

He said Yahoo has programmes in place to reduce the chances of further exploitation; but that doesn’t give the one billion plus users any peace of mind as Yahoo are unable to give reasons for the second cyber-attack.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy
SRA
Contact
www.dataleaklawyers.co.uk is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon