The good news for Internet entertainment, news and search site Yahoo Inc. is that Verizon Communications Inc. is still interested in acquiring the company following its disclosure of massive data breaches. The bad news is that the value of the deal has dropped precipitously after the security incidents became public knowledge.
In late February, the two companies announced that they had amended the existing terms of their agreement for the purchase of Yahoo's operating business. Under the new terms, Verizon and Yahoo agreed to reduce the price Verizon will pay to acquire Yahoo's operating business by $350 million.
In addition, Verizon and Yahoo agreed to share certain legal and regulatory liabilities arising from data breaches incurred by Yahoo, according to the deal. Under the amended terms, Yahoo will be responsible for 50% of any cash liabilities incurred following the closing related to non-SEC (Securities and Exchange Commission) government investigations and third-party litigation related to the breaches.
Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo. Also under the changed terms, the data breaches or losses arising from them will not be taken into account in determining whether a "business material adverse effect" has occurred or whether certain closing conditions have been satisfied.
Verizon's acquisition of Yahoo, now valued at about $4.48 billion in cash, is expected to close in the second quarter of 2017.
What has happened with this corporate mega-deal provides a good example of the broad impact security breaches can have on a business, as well as on its employees and shareholders. Attacks can result not only in lost or stolen data, unhappy customers and employees, bad publicity and potential regulatory fines. They can also lead to a huge drop in corporate value—as Yahoo is discovering.
Events such as this help explain why concerns about cyber security threats and vulnerabilities have risen to the board of directors level at many organizations today. Protecting data resources is not just the responsibility of the CISO, CSO or CIO; it’s ultimately the responsibility of the most senior-level business executives in an organization, including the CEO. In fact, cyber security should be a priority of the entire C-suite.
Yahoo announced in September 2016 that a recent investigation by the company had confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what Yahoo thinks is a state-sponsored actor. Some news sites noted that it was possibly the largest data breach ever.
A statement by Yahoo CISO Bob Lord said the account information stolen might have included names, email addresses, phone numbers, dates of birth, and in some cases encrypted or unencrypted security questions and answers.
An investigation of the case suggested that stolen information did not include unprotected passwords, payment card data, or bank account information. Yahoo said payment card data and bank account information are not stored in the system involved in the attack.
But based on the investigation, Yahoo said it thought information associated with at least 500 million user accounts was stolen. The company said it was taking action to protect user data, including enhancing its systems that detect and prevent unauthorized access to user accounts.
Then, about two months after the initial disclosure of a data breach, Yahoo issued another statement, saying law enforcement in November 2016 had provided the company with data files that a third party claimed was Yahoo user data. The company said it analyzed this data with the help of outside forensic experts and found that it appears to be Yahoo user data.
Based on further analysis of the data by the forensic experts, Yahoo concluded that an unauthorized third party in August 2013 stole data associated with more than one billion user accounts. Yahoo said it has not been able to identify the intrusion associated with the theft, but thinks the incident is likely distinct from the incident it had disclosed in September.
The company once again said it was taking steps to secure users’ accounts, including requiring them to change their passwords. Yahoo also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
But the damage was done, as is evidenced in part by the reduction in the company’s value prior to the acquisition by Verizon. Perhaps this will serve as a lesson for companies—not that they really need one—on how vital it is to build and continuously update a cyber security program that protects valuable customer data.