Lessons of the Yahoo Data Breach

On Wednesday, Yahoo announced that personal information from one billion user accounts, including names, addresses, passwords, phone numbers, birthdates, and security questions, was stolen. By noon Thursday, Yahoo’s stock had fallen 5% and Verizon’s $4.8 billion purchase of the company appears to be in jeopardy.

Right now, it seems Verizon executives and general counsel are hunkered down trying to assess the damages from the massive breach and what legal liability they will be taking on should the deal go through. At the very least, it probably goes without saying that they’re going to look to shave some off of Yahoo’s $4.8 billion dollar price tag.

None of that, however, affects or comforts Yahoo users who have had their personal information stolen. Despite Yahoo saying that banking information was stored separately and was unaffected by this breach, that assurance doesn’t include anyone who used their Yahoo account for financial management. For those people, the concern is that this information may be used to break into their financial accounts. Any users who have bank or credit card statements, online bill pay, or have even had tax records emailed to them are now at risk.

At this point any Yahoo user needs to assume their account has been breached and start to take some proactive steps. First off, change all your Yahoo passwords, including security questions and answers. That’s a given. Second, scour your email account and get rid of any personally identifying information. This includes banking, tax, or billing information. Lastly, don’t click on any links or open any attachment unless you know absolutely it is legitimate. Even if it appears to be from Yahoo, don’t do it. They’re sending text-only alerts.

In the long term, users should monitor their bank accounts for any suspicious activity and maybe get a credit report. In many cases, after a breach the company will offer free credit monitoring or something similar; take advantage of it. If you want to take it a step or two further, you can place a fraud alert on your credit reports to require businesses to verify your identity before offering credit, or even place a credit freeze to stop anyone opening new accounts in your name. These may seem like overkill, but considering the information stolen, that might not be the case.

For any business or organization that might be affected by Yahoo’s breach – and, let’s face it, with a billion users’ information being stolen, that’s practically everybody – now might be a good time to look into becoming ISO 27001 compliant. ISO 27001 is a top-to-bottom approach that includes legal, physical, and technical controls for risk management of information security management systems (ISMS).

The system has six parts that include defining a security policy, defining the scope of the ISMS, conducting risk assessments, managing identified risks, selecting control objectives and controls to be implemented, and preparing a statement of applicability. If you’d like help in walking through ISO 27001 compliance, contact us and we can help with everything from internal audits to corrective and preventive actions.

image_pdfimage_print