Last week Yahoo revealed that over 500 million users had been affected by one of the largest data breaches in history. Disgruntled users in Illinois and California have already filed class-action lawsuits aimed at holding the struggling internet giant responsible.
The lawsuits are not only related to Yahoo’s ineffective information security measures. They also relate to the amount of time it took the company to reveal the data breach. Some plantiffs contend that by failing to announce the breach immediately, cyber criminals had time to exploit data before users were able to take simple protective measures.
These plaintiffs specifically cited a study conducted by the Ponemon Institute identifying 191 days as the average amount of time necessary to detect and announce a data breach affecting public users. In the case of the Yahoo data breach, the company took two years to detect and announce the breach.
Yahoo has blamed the attack on a state-sponsored group of hackers but has declined to point a finger at any specific nation. Some have questioned whether the the attack was actually state sponsored or whether Yahoo is making that claim to hide the embarrassment of being breached by a less sophisticated group of cyber criminals.
The data breach included included names, addresses, dates of birth, passwords, and in some cases security questions and answers. Users of the company’s email, fantasy sport, and finance sites were all affected.
Yahoo reportedly launched the investigation into the breach beginning in July. The initial focus, however, was on a suspected data breach that occurred in 2012. At the start of the investigation Yahoo was negotiating with Verizon so sell of it’s core internet business for $4.8 billion. The breach was not immediately disclosed, and some have reported that it could reduce the sale price significantly.
The findings of security experts bolster the plaintiff claims that Yahoo misrepresented the safety of its systems and services. A company that specializes in securing cryptographic keys found several troubling flaws after auditing external Yahoo websites. More than a quarter of the certificates audited had not been updated since 2015, a serious lapse of security best practices. This lapse may not contributed to the data breach named in the lawsuits, but does indicate a corporate culture that failed to adequately prioritize data security.
If the number of lawsuits increases, it could continue to lower the sale price of Yahoo. The information revealed within these lawsuits could also reduce the already dwindling numbers of Yahoo users.