One of my sisters, when particularly vexed by someone, is given to referring to that person as a “yahoo.” A yahoo is an unrefined, noisy, rude individual. The word was invented by Jonathan Swift in his book Gulliver’s Travels, first published in 1726. He used the term to refer to a race of creatures who were bestial, uncultivated, violent, and loutish brutes. Yahoos represented Swift’s view of mankind in its lowest form. At first blush, the yahoos of Swift’s creation would seem to have little in common with the company founded by David Filo and Jerry Yang. The system they created to keep track of their personal interests on the internet became known as Yet Another Hierarchical Officious Oracle—YAHOO.
We just learned that in their latest regulatory filing with the Securities and Exchange Commission (SEC), YAHOO admitted that they knew of the security breach they announced in September, a breach that put at risk customer passwords, phone numbers, and email addresses from 500 million accounts, as early as the latter part of 2014. Think about it. It appears YAHOO may have waited two years to disclose the largest security breach in the history of the internet.
The timing of the disclosure will certainly spur new inquiries. Remember that in July, Verizon agreed to pay $4.8 billion for Yahoo’s core business. Senator Mark Warner has asked the Securities and Exchange Commission to investigate whether Yahoo’s senior executives improperly failed to disclose the 500-million-customer breach in timely fashion. The issue may become a test case for the SEC, which way back in 2011 issued a “guidance” to companies mandating that they notify the agency if a breach occurred that could have a “material adverse effect on the business.” According to critics, the SEC has not followed up on the guidance, having failed to act against a single company for non-disclosure of a cyber incident. Read more here.
YAHOO has other headaches stemming from the breach. At last count the company was facing 23 breach related lawsuits, and that number is expected to rise. In addition, it’s been reported that Verizon is seeking a $1 billion discount on the purchase price agreed to in July. The prospect of regulatory fines, legal fees, and dramatically reduced asset values certainly calls into question the decision-making at senior levels inside YAHOO. People outside the company increasingly must ask, “Do you, YAHOO?”
By Tom Davis, SDI Cyber Risk Practice
November 15, 2016