New information has come to light about Yahoo’s 2013 data breach. But there’s a story behind all of this, one of remediation and communication. It’s instructive for all enterprises in terms of how they continuously manage security and treat customers.
Just when you were getting your head around the 143 million people whose personal data was compromised in the Equifax breach (although now it seems closer to 146 million), prepare for the number 3 billion. That’s how many Yahoo accounts were hacked according to new revelatory information about the company’s infamous 2013 data breach. This is certainly making headlines, and the Twittersphere is having a field day with this, but the untold story are the efforts Yahoo took to fix the problem when it happened.
First off, it’s important to remember that the attack took place almost four years ago. Security was different even that short time ago. The emphasis then had been on securing the perimeter, whereas now there are more tools available to apply to the different pieces of the IT environment. Approaches to security now look at the “stack” in which users and data transact, and applies security to ID, compute, storage, and other layers within the stack. Yahoo has been forthcoming and transparent about how it manages security, and it is clear that they have much more continuous insight and control over their environment.
We have to also look at these kinds of breaches not just at the point of attack, but in the aftermath and how organizations handle communication with those affected by it. Equifax waited two months to fix an unprotected server, and that didn’t end up so well for them; 146 million people are paying the price for lax security management by them. Yahoo, by contrast, quickly instituted a plan of action that communicated to users how to change passwords, identify fake requests for personal information, and a general plan to protect themselves. We recommended that Equifax be transparent and communicate a plan to rectify their mistakes. So far, the response has been vague. Yahoo, by contrast, initiated a plan to keep users safe and secure.
The Yahoo case is a cautionary tale about how rapidly security attacks and defenses change in today’s world. Evolving organizations can differentiate themselves by deploying a plan of transparent communication like Yahoo’s, embracing continuous practices in security and compliance, and always updating and improving their policies and commitments to users as a core fundamental of their business. Yahoo is a sophisticated company with a strong security program; if organizations at the top of the food chain can fall victim to these kinds of breaches, then no company is ever truly safe from the constantly morphing and ever-changing nature of today’s attack landscape.