Obviously the timing couldn’t have been worse for Yahoo. Right in the middle of sale negotiations; and just after its first major data breach became public. Then the stock value largely recovered. But this time? So, the fundamental question remains: why was data, such as customer passwords, not encrypted? Sure regulatory penalties for data breaches are strong motivators for better security practices, but the greatest motivation must be the risk of tanked stock values.
Yahoo Inc. cautioned on Wednesday that it had uncovered yet another massive cyber-attack, saying data from more than 1 billion user accounts was compromised in August 2013, making it the largest breach in history.
The number of affected accounts was double the number implicated in a 2014 breach that the internet company disclosed in September and blamed on hackers working on behalf of a government. News of that attack, which affected at least 500 million accounts, prompted Verizon Communication Inc to say in October that it might withdraw from an agreement to buy Yahoo’s core internet business for $4.83 billion.
Following the latest disclosure, Verizon said, “we will review the impact of this new development before reaching any final conclusions.”
A Yahoo spokesman told Reuters that the company has been in communication with Verizon during its investigation into the breach and that it is confident the incident will not affect the pending acquisition.
Yahoo required all of its customers to reset their passwords – a stronger measure than it took after the previous breach was discovered when it only recommended a password reset.
Yahoo also said on Wednesday that it believes hackers responsible for the previous breach had accessed the company’s proprietary code to learn how to forge “cookies” that would allow hackers to access an account without a password.
“Yahoo badly screwed up,” said Bruce Schneier, a cryptologist and one of the world’s most respected security experts. “They weren’t taking security seriously and that’s now very clear. I would have trouble trusting Yahoo going forward.”
To read the original story click here
It’s just unacceptable to not encrypt valuable or sensitive data (some reasonably argue that all an organisation’s data is valuable and/or sensitive) – whether that data is at rest in day-to-day use; archived on or off premises; or being transmitted across public or private data networks.
The reasoning is very simple. When an organisation’s data defences and security initiatives are successfully breached by unauthorised parties, only encryption ensures that data is useless to unauthorised parties.
While encryption should now be seen as a data security norm; all organisations must adopt an IT strategy of “security by design”. Every IT initiative taken today must include security as a standard element, and encryption should always be a part of that security by design.
Today organisations’ can no longer afford to not adopt a security by design approach and fail to encrypt data. In many jurisdictions that have implemented best practice data security regulations, such as mandatory breach notification legislation, credit is given to those that have encrypted data later discovered to have been breached. It is sound recognition that by having encrypted the data there is no breach of privacy; loss of intellectual property; or financial damage to stakeholders. Hence penalties etc. are often waived.