The recent data breach disclosed by Yahoo is set to be a game changing event. In late 2014, hackers stole the information associated with at least 500 million Yahoo! user accounts, but the breach was only publicly disclosed on September 22, 2016. In a statement on the security issue, Yahoo says “a recent investigation” confirmed that user information was stolen by an unnamed “state-sponsored actor.” When was the breach actually detected? That remains unclear. What is clear is that the breach has had immediate repercussions both for Yahoo, potentially putting its Verizon acquisition at risk, and for other organizations.
In the short time since the disclosure of the data breach, two lawsuits have been issued against Yahoo. These are likely the first of many more. The FBI has announced that it is investigating the affair, as has the ICO, and six democratic senators have sent a letter to Yahoo CEO Marissa Mayer demanding answers. Specifically, they have asked for information detailing when the breach was discovered, calling the lag between breach and disclosure “unacceptable.” Senator Mark Warner also asked the US Securities and Exchange Commission (SEC) to investigate Yahoo, perhaps in an attempt to test the SEC’s newfound commitment to enforce data security failings.
We know that time matters when it comes to breach containment. In fact, there is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result. The two year lag at Yahoo is notable in that regard, particularly as the event is now the largest data breach in history. Some observers even question whether Yahoo truly detected the data breach two weeks after its SEC filings claimed no knowledge of security incidents. Meanwhile, others claim Yahoo’s breach was not state-sponsored at all. Either way, both claims place the reputation of Yahoo on the line.
The size and unanswered questions about the Yahoo breach have renewed the pressure to enact a Federal-level law requiring data breach notification. All three FTC commissioners are currently voicing their support for Federal data breach notification legislation. As such, there is the chance that bipartisan support for this legislation could push these standards through, after many failed attempts in the past.
When you want to prevent a security incident from becoming a full-scale data breach, you need to act quickly. Respond time matters in containing security incidents. And if a breach does occur, most companies will shift their focus to mitigate the typical associated costs and other consequences. In the event of litigation, which is commonplace now in large breach incidents, the collection and preservation of information is key to reducing these costs.
Using Absolute Data & Device Security (DDS), you can determine potential (or existing) threat conditions in your endpoint deployment. Identify which threat conditions may compromise your ability to comply with corporate and government regulations. Through Absolute DDS, you can also gain insight into your deployment and data before a data breach occurs. With automated alerts, you can monitor your encryption status, your SCCM status, set risk triggers and monitor sensitive data, no matter where it is. You can also be alerted when specific device or user behavior shifts. With a persistent connection to each device, you can assess risk and apply remote security measures so you can protect each endpoint and the sensitive data it contains - and prove it, with a full audit report. Learn more at Absolute.com