RiskFinancial CrimeCyber security experts respond to Yahoo breach

Cyber security experts respond to Yahoo breach

The US multinational tech group said that “state-sponsored” hackers stole information from about 500m users, in what appears to be the biggest-ever publicly disclosed cyber-breach.

US multinational tech giant Yahoo revealed on September 22 that hackers, which it believes were state-sponsored, had stolen information from around 500m users in what appears to be the largest publicly-disclosed cyber-breach in history.

Personal information accessed in the breach, which apparently occurred in 2014 but had not previously been made public, included names, e-mail addresses and “unencrypted security questions and answers”.

Cybersecurity experts offered commentaries in response to the news:

Stephen Love, security practice lead-EMEA, Insight UK:

“Yahoo is once again in the spotlight for a breach that has been named the largest in history, affecting about 500m users. This is huge and as the public become more aware of the worth their personal details hold, the bigger the impact it will have on the organisation. It is yet another warning of the necessity for every organisation – no matter how large or small – to have a robust security approach to its data management.

“However, communication should be the first priority of reacting to such a breach. Telling customers about a breach that happened in 2014, isn’t acceptable. Even more so with the European Union’s (EU) General Data Protection Regulation (GDPR) only two years from implementation, which will force organisations that face breaches of this nature to notify customers within 72 hours. If they don’t, they will face massive fines that damage the financial stability of the company and this, coupled with the reputational damage, could see the business facing bankruptcy.

“Planning ahead is the best course of action for any business. 2018 might seem a way off, but with just over three months until 2017 begins, before we know it, the new legislation will come into effect. Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy.”

Kurt Baumgartner, principal security researcher, Kaspersky Lab:

“These types of breaches highlight why all companies need to be cybersecurity leaders, implementing best practices and available security technologies, such as the delay in encrypting instant messaging (IM) communications, implementing https for its web properties and more.

“Of course, this situation reminds us of Google’s Aurora advanced persistent threats (APT) incident in 2009, announced in 2010. When we compare these two breaches, it is incredible that it’s 2016 and users are only being notified years after a major breach like this one, and only after another organisation made the issue public. While it is important to note that Yahoo! provides a list of account “meta-information” that appears to have been stolen and leaves out content of email accounts, the credential knowledge based challenge information and passwords were stolen as well. So, passwords could have been reset on accounts without customers carefully checking password resets and access. And, the knowledge based challenge information used to reset passwords may have been re-used to attack other web services the customer may be using.

“In the meantime, if you are using a Yahoo! email account, it’s a good idea to set up a “Yahoo account key,” which removes the need to enter passwords and enables a level of two factor authentication.

“Do not fall for social engineering schemes that will follow this incident. Everyone should be aware that any breach notice that Yahoo! emails out will go only to their email service users, and it will not provide links to click on, include any attachments, and will NOT ask for personal information.”

Related Articles

Why working in silos is a killer when battling financial crimes

Cyber Security & Fraud Why working in silos is a killer when battling financial crimes

4m Andrew Simpson
PSD2: dull name, but seismic effect

Clearing & Settlement PSD2: dull name, but seismic effect

6m Alex Kwiatkowski
Staying one step ahead: PSD2 and the future of fraud

Financial Crime Staying one step ahead: PSD2 and the future of fraud

7m Seth Ruden
8 predictions for treasury in 2018

Financial Crime 8 predictions for treasury in 2018

7m Bob Stark
FDIC sues 9 European banks over Libor

Banking FDIC sues 9 European banks over Libor

11m Victoria Beckett
Appreciating supply chain cyber risk

Cyber Security & Fraud Appreciating supply chain cyber risk

11m Peregrine Storrs-Fox
The death of the password: biometric banking

Automation The death of the password: biometric banking

11m Paul Sheldon Foote
The insecurity of fraud victims in the fight against cyber-assailants

Bank Relationships The insecurity of fraud victims in the fight against cyber-assailants

11m Keiron Dalton