• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


I’m Skeptical

The Yahoo breach.


September 22, 2016

I’m skeptical. 500 million accounts with everything: names, credentials, passwords, zip codes.  Hacked two years ago. More than a year before Yahoo goes on the chopping block but around the time that rumors of its sale were leaked. Sold now to Verizon. The New York Times reports that it costs $221 to correct the record for each person/account hacked. That number exceeds the sale price. Any chance Yahoo knew about this matter sometime closer to the reported date in 2014? Could there be more than a coincidence between this event and the sale earlier this year that took place?

Hacks have become so routine that most people are likely to brush it off. The government should not. If government’s role is to protect consumers, then it should be sure that consumers are compensated for the exposure of their personally identifiable information on the open hacker’s internet.  One way to protect would be to open an investigation into Yahoo.  What did Yahoo know and when did they know it?  Or, at the very least, they should freeze Yahoo’s assets to be sure that consumers are compensated before that money goes to shareholders and evaporates.

Does anyone know if the sale has already taken effect?  If so, what are the provisions in the contract regarding Verizon’s assumption of Yahoo’s liabilities or debts?  Usually, those factors are the subject of massive audits before an agreement is reached.  Indeed, those audits are part and parcel not only of contract language but of price.  If I am buying a company that has 50% of its value marked as debt, I want 50% off the price.  To be sure, I want to know what kind, how much, and the transaction costs of extinguishing company debt. 

 Wouldn’t it be interesting if evidence emerges that Yahoo knew about this debt before today, Thursday, September 22, when the New York Times reports it emerged on a hacker site? I mean a long time before. Yahoo had a big breach in 2012.  This one is alleged to have occurred in 2014.  I am not sure what is worse: keeping the breach under wraps or not knowing about it until hacker sites reveal it two years hence?

Microsoft, Google, even Facebook are some of the safest places to have accounts.  They prioritize security.  They get that in the wild west of the internet no one is going to protect them so they have to protect themselves, and in that protection they heavily invest.  They also know the value of the data they hold.  At the time of the Yahoo sale to Verizon, the most consistent post mortem was that Yahoo could not decide what kind of company it was.  For the failure to be clear, and act on that clarity in the market, it failed. Security may well have been a symptom. 

The question is was it also a cause?


Back to Top