Yahoo suffered three significant data breaches affecting more
than 1.7 billion users between 2012 and 2014. The inadequacy
of its cybersecurity policies, in particular Yahoo's failure to
promptly report the incidents to its users and mitigate the impact
of the astronomic data leaks, has had a major impact on the company
and its executives:
Verizon negotiated a USD 350 million reduction on the initial
USD 4.8 billion acquisition price.
Consumers and shareholders have already initiated around 50
lawsuits against Yahoo and its executives.
Several US and EU authorities have launched investigations into
Yahoo's General Counsel was forced to resign, while its CEO
gave up a significant cash bonus for 2016 and 2017.
The Yahoo incident is a textbook example of the grave
consequences of failed cybersecurity governance. Companies should
review cybersecurity policies, security measures and incident
response mechanisms, as well as consider the potential benefits of
In 2012, 2013 and 2014 Yahoo suffered several data breaches that
affected the account information of, respectively, 200 million, 1
billion and 500 million consumers. The cybercriminals used stolen
passwords, email addresses and dates of birth to break into
customers' accounts at Yahoo, Google and other webmail
providers. The hackers particularly targeted Russian journalists,
US and Russian government officials, and private-sector employees
of financial, transportation and other companies recognised as
critical infrastructures in the US.
Insufficient security measures and failure to disclose
For years, Yahoo used inadequate measures to secure sensitive
customer information. It secured a billion passwords stolen in 2013
using an outdated and untrustworthy MD-5 algorithm – a hash
function designed back in 1991. Yahoo's legal team and
senior management knew about the data breaches, but failed to
report them to consumers and governmental authorities. Yahoo only
began disclosure in autumn 2016, when it reported one of the
breaches amidst the acquisition of its web operations by Verizon
Communications Inc. In its filings to the Security Exchange
Commission in December 2016, Yahoo revealed the other incidents,
including the one affecting 1 billion users. This combination of
poor security and inadequate reporting has already led to severe
consequences for Yahoo and its executives.
Financial, administrative and other implications
The disclosures delayed the closing of the acquisition deal and
allowed Verizon to negotiate a USD 350 million discount on the
initial USD 4.8 billion previously agreed between the parties. In
addition, Verizon and Yahoo agreed to share the costs of the legal
aftermath of the incidents.
According to its recent annual report (p. 45-47), Yahoo – a
publicly owned company – also faces approximately 43 putative
consumer class action lawsuits, four stockholder derivative actions
and one putative stockholder class action. Some lawsuits target
Yahoo's executives individually. As Yahoo did not have
cybersecurity liability insurance, the company will have to pay all
expenses resulting from the data breaches out of its own
In addition, financial, consumer and data protection authorities
in the US and EU have launched investigations into Yahoo's
cybersecurity practices. The combined EU data protection
authorities are "deeply concerned" about the data breaches
and will scrutinise the matter on both EU and national levels. The
cybersecurity incidents have also affected Yahoo's executives.
Its general counsel resigned, and CEO Marissa Mayer gave up her
cash bonus that could have amounted to USD 14 million.
Lessons to be learnt
The Yahoo case gives a unique insight into the costs and
implications of failed cybersecurity governance. A successful
cybersecurity strategy should not only include up-to-date and
regularly-reviewed technical protection measures, but also contain
incident response mechanisms, reporting procedures, and regular
staff training. Companies should furthermore consider the benefits
of cybersecurity insurance. While it may not always be possible to
outsmart the hackers, companies can control and mitigate the
gravest consequences of cybersecurity incidents.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Turkey's first and only law specifically dedicated to data
protection and privacy, the Law No. 6698 on Protection of Personal
Data ("Law No. 6698"), came into force on April 7, 2016
with certain transition periods.
A recent decision of the Irish Circuit Court will mean that the High Court in Ireland will have the opportunity to add to the evolving EU jurisprudence involving the right to be forgotten later in 2017.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).