So, as the news cycle spins and people rush to change their passwords and account information resulting from the data breach of 5 million records at Yahoo! I think it an opportune time to also remind businesses of many of the cautionary tales inherent in this story.
1. An email address is so much more than just an email address. Many people have asked me if they really need to do anything, because they “never use their Yahoo! email account” and they most definitely don’t have it tied to financial information or “really important information.” Compromising an e-mail account does several things. Most obviously, it puts all information flowing in and out of your account at risk of being viewed and used without your consent. It would also enable the thief to send and receive messages pretending to be you.
But what many forget is that the e-mail address today is as much an identifier as simply a location at which you get e-mail. Indeed, many website or bank “account IDs” are your email address. Or, when you click the “Forgot Password” button on any bank website or other site, the site is most often going to send the reset password code or link to your…..wait for it…..email account. So, controlling access to that e-mail account not only enables access to e-mail, it provides a key to any other account in which your e-mail address is used for purposes of access control. Businesses can assist their customers in not requiring e-mail address as an account ID or providing other ways to identify and authenticate their users.
2. The call does not always come from inside the house. With data breaches, often the person who discovers the breach is not affiliated with your company in any way. Having an active data governance and information security program in place is critical to not only keep up with the risks yourself, but also to know when to take outside reports seriously with an appropriate response.
3. Symptoms may not be visible. As with any bodily infection, sometimes the infection or unauthorized access to your system is not immediately evident. Indeed, the original Yahoo! hack took place in 2014; yet only now the symptoms are visible and the company is capable of responding. Your data governance planning should account technical safeguards, to include intrusion detection systems and other monitoring that is actively updated and reviewed to detect changes in system configurations, missing files, and the presence of files that should not be there. You may not always be able to stop an attack or infection, but you may be able to stop the extraction of data or mitigate the harms resulting from the attack in days, instead of months or years.
4. Due Diligence: Don’t Forget the Data! As many know, Yahoo! is in the process of potentially being purchased by Verizon. One point I continually make to clients is that when they are assessing an acquisition, they need to account for what new data they are taking on, in addition to looking at the financial, personnel, or property risks. For example, acquiring regulated data, like consumer reports (FCRA) or protected health information (PHI) when you have no compliance program in place can quickly change the financial analysis in whether you want to take on that company or not. Additionally, as Verizon is doing with Yahoo!, you will want to look into the security history of the company and determine what, if any issues may be waiting for you to take on should you buy the business.