While the press and rumor mill turn full tilt in the wake of the announcement from Yahoo last week that it had been the victim of perhaps the largest known data breach ever (more records were breached than there are citizens of the United States), folks in the security community seem to be reacting with more of a shrug than a shudder.
There is often a misconception that if a breach does not include plain text passwords or debit/credit card details, it is of limited severity. But let’s be clear: this hack matters. Armed with personally identifiable information (PII), such as names, email addresses, birthdates, phone numbers, etc., attackers can conduct social engineering attacks to gain full access to accounts — not just at the breached site, but at many sites. By carrying out a phishing campaign, for example, attackers could easily customize spoofed email messages to compel a Yahoo user to contact support, change a password, etc., as a way to gain access to a victim’s online accounts.
The news — and the sheer magnitude — of this breach should serve as a reminder to be diligent and follow best practices: users should use different passwords on different sites. This can be facilitated by using a password manager, and those passwords should be regularly updated. Enterprises should use two-factor authentication to protect against stolen passwords.
What surprised me was the apathy.
It seems everyone has become numb to the news of major breaches, to such an extent that while the press has had a field day on Yahoo, individuals are responding with far less outrage and fear than one might expect. A friend summed up the broad sentiment, saying, “I’ve changed my Yahoo password, so now I can go back to not using the service.”
As the CISO of a security company, I am more interested than most in the implications of such a breach and the security vulnerabilities the hackers successfully exploited. But for now, at least while that investigation unfolds, I’d like to explore this apparent apathy around such a massive breach. Has the threat (and, in this case, reality) of a breach simply become background noise, like the terror alerts we used to see on the evening news?
While apathy about the hack certainly has to do with the decline in popularity of the Yahoo service, one of the reasons that this breach has not been of particular interest is that there is no evidence of pain. And while there have been plenty of very expensive breaches in the news, the firms that are breached take the financial hit, not the individuals whose data is being stolen. In the case of debit/credit card breaches for example. we simply receive a new card in the mail and move on.
Other high-profile attacks, such as Sony’s in 2014 and the DNC’s in 2016, cause embarrassment and outrage for the affected organizations. It surely cost those organizations in a multitude of ways, but cost consumers nothing. Further explanation for the detachment with which most people view such news. (A rare exception was the Ashley Madison hack of 2015; it was a small-scale breach by comparison, but the users of the site whose identities had been exposed felt real pain as a result. You can bet those folks have become more careful about the sites on which they enter personal information.)
Many questions remain.
The lack of concern over the breach begs the question: if victims don’t care that much about the Yahoo hack, why then would a nation state (to which Yahoo has attributed the hack)? It’s difficult at this point to parse company statements, but if it was state-sponsored, chances are that the actors got what they wanted long ago, as the breach was carried out in late 2014. And this brings me to one of the more troubling questions.
It has been reported by New York Times that CEO Marissa Mayer may have had knowledge of a breach as early as July, yet did not disclose details to regulators and investors until last week. If true, Yahoo acquirer Verizon is no doubt asking a lot of questions right now. Such information is clearly of great importance during a due-diligence process, and yet as recently as September 9 in a regulatory filing with the SEC, Yahoo claimed no knowledge of any data breaches.
Yahoo customers should also question whether they received notification of the breach in a timely manner. In any breach, consumers have a right to know that they may been impacted as soon as possible so that they can take steps to protect themselves.
The breach matters. They all do.
I would caution individuals from becoming inured to these kinds of attacks, whether they affect us personally or not. As the events of the Yahoo breach unfold, we are likely to find out some surprising details around why and how it happened. Still, the fact remains that the personal data of nearly half a billion individuals is in the wild. As both security professionals and consumers, we have to remember that the moment we put a password into any field in any website, we no longer control it. And that is something we should all take very personally.