We’ve written about the massive Yahoo data breach in this space a few times now. First there was the news of the breach itself and the potential fallout as far as consumer confidence and valuation for the business itself. Then we learned that the breach was even worse than originally reported, with the original breach going back years.
At this point, it might seem like all the news has been had out of this particular attack. Well not so fast, as yet again the story of the Yahoo breach continues to provide valuable insights into what organizations might face should they too suffer a breach.
The two previously reported Yahoo breaches occurred in 2013 and 2014. The 2014 breach was detected at the time, but without a full understanding on the depth of the attack. The 2013 breach, on the other hand, wasn’t uncovered until last year. Understandably, both of these facts have raised concerns about Yahoo’s cybersecurity practices.
This context helps explain why, in December, the Securities and Exchange Commission (SEC) launched a probe to see if Yahoo violated civil securities laws by failing to report these breaches in a timely manner. Basically, the SEC “requires companies to report cyber incidents that may have an impact on corporate finances,” Healthcare Info Security reports.
What’s at stake here for Yahoo? More potential fines and, as we’ve already remarked upon, continued, potentially damaging headlines about cybersecurity incompetence or negligence. Traditionally, the SEC has not launched investigations into breach response times, but this is the dawn of a new age that all businesses need to be aware of.
A Growing Concern
Cybersecurity simply faces a level of scrutiny and consumer knowledge that we just haven’t seen before. With the high level breaches of the Democratic National Committee during this past year’s presidential election, there is growing awareness of how much impact cyber attackers can have on organizations.
As we’re seeing with this most recent news, the government is responding. Due to this increase in public knowledge and outrage, there is more of a call to go deeper in these investigations. Public response may not be the exact cause here, but ask yourself: do you see cybersecurity regulations and enforcement weakening or strengthening in the current environment?
There might have been a time when data breaches alone were not enough to change consumer behavior, but that moment is over, as Yahoo’s discovered over the past several months. Though Yahoo has yet to formally report a drop off in users, experts predicted at the announcement of the first breach that the company could suffer a loss of $2 to $3 per ex-customer. That adds up quickly.
For sectors frequently targeted by cyber attackers, such as healthcare and finance, the Yahoo story should serve as a warning of what to expect if you suffer a breach: endless investigations and repeated headlines questioning your preparedness. Don’t risk it.