Some reports called it quite possibly the largest data breach of all time. Internet entertainment, news and search site Yahoo announced on Sept. 22, 2016 that a recent investigation by the company confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it thinks is a state-sponsored actor.
The account information might have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers, according to a statement by Yahoo CISO Bob Lord.
The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation has found to be affected, the statement said.
Based on the investigation, Yahoo suspects that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on the incident.
The company said it was taking action to protect its users, including enhancing its systems that detect and prevent unauthorized access to user accounts.
And Lord’s statement reflects what many security executives have come to learn and are dealing with every day: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.”
This is just the latest attack against a company in the entertainment, media and communications sector. For instance, one of the most notable breaches in recent years was against Sony Pictures Entertainment (SPE). The company in late November 2014 experienced a hacker attack that caused significant disruption to its operations.
A hacker group that launched the attack against SPE released confidential data from the company including personal information about its employees and their families, e-mails between employees, information about executive salaries, and other information.
But the Yahoo incident stands out not just because of the number of affected users. Yahoo is in the midst of being acquired by communications provider Verizon for $4.8 billion, and news of the data breach has led to speculation about what it means for the transaction.
For example, a recent article in Fortune questioned whether the Yahoo hack would allow Verizon to pull the plug on the deal. Verizon could claim a material breach for something such as the data hack, the article said, by arguing that the event has caused irreparable harm to Yahoo in terms of customer trust and usage. It conceded that getting a court to agree that a material adverse event had occurred, but it is theoretically possible. In addition, Verizon could use the threat of such a claim to renegotiate its original agreement, the article noted.
Many entertainment, media and communications companies, such as Yahoo, are large, global businesses that gather information about millions of people who subscribe to their services. It stands to reason that any organization that needs a huge consumer audience as part of its business model will be a target for hackers. That includes Internet news sites, traditional media organizations, communications providers and others in the business of serving many people around the world.
Companies in the industry are taking steps to strengthen their security posture. Many in the sector are implementing technologies such as cloud-based cyber security, big data analytics and advanced authentication, according to the Global State of Information Security Survey 2016 by consulting PwC.
The vast majority of the businesses have adopted risk-based cyber security frameworks to help guide their information security programs, and more are sharing threat intelligence with external partners.
Content in many cases is the most valuable asset an entertainment, media and communications company owns. Because of this, it’s an increasingly common target of attackers. Theft of intellectual property such as digital content more than doubled in 2015, the PwC report said.
Survey respondents in the sector said external actors such as hackers are most likely to steal digital content, but they’re not the only threat. Third-party partners and foreign entities are also a mounting concern for companies. Increasingly, they are turning to advanced authentication technologies such as fingerprint recognition and hardware and software tokens to improve secure access to systems and data.
The adoption of cloud computing in the industry has surged as production and post-production activities become increasingly global and far-flung vendors require access to content, the report said. The cloud also has emerged as a tool for cyber security safeguards. About two thirds of the respondents (64%) said they use cloud-based cyber security services such as real-time monitoring and analytics, advanced authentication and end-point protection.