In late September, Yahoo announced that at least 500 million user accounts had been compromised. The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data. Large data breaches have become increasingly common: Just in 2016 we have found out about Yahoo’s breach as well as the LinkedIn hack (compromising 167 million accounts) and the MySpace breach (360 million accounts).
The Yahoo breach affected more users than the other two, but all of them share a crucial element: They were announced to the public years after the fact. The LinkedIn hack happened in 2012, MySpace was breached in 2013 and Yahoo was hacked in 2014. Not until 2016 did users of the three sites found out their information had been stolen.
When personal information is stolen, rapid response is important. Customers need to change their passwords, and take other steps to protect their identity, including securing bank accounts and credit records. If people don’t know a breach has occurred and that they need to take these protective steps, they remain vulnerable.
So why does it take such a long time for companies to disclose that they have been hacked? It’s not as simple as you might think – or hope.
Time is a key factor
It’s not yet clear when Yahoo learned about its attack, though in this case the timing is questionable. A news article published on August 1 quoted a company spokesperson saying Yahoo was “aware” a hacker was selling login details for 200 million Yahoo accounts in an online black market.
But more than a month later, the company filed a document with U.S. financial regulators saying it didn’t know of any claims of “unauthorized access” that might have an effect on its pending sale to Verizon. And Verizon said publicly that it had heard about the breach only two days before Yahoo announced it to the world.
All those events, of course, were years after the breach had actually happened. This is an uncommonly long delay. According to a recent report from network security firm FireEye, in 2015 the median amount of time an organization’s network was compromised before the breach was discovered was 146 days.
That includes all sizes of companies in all types of business. As a major internet company with an extremely large user base, it’s reasonable to expect Yahoo might detect – and disclose – breaches much sooner than other firms.
Detecting, and confirming, the hack
The company has said it believes the attack was conducted by a national government, though it hasn’t said from what country. That may suggest the attack was more sophisticated, and therefore harder to detect – but it’s impossible to know if that’s true, because the company has declined to offer details of how the breach was achieved.
In addition, anyone on the internet can claim anything they want – companies have to investigate their systems to find out whether someone who is advertising they have login information for sale actually took anything, or is just making it up to cause trouble.
Nontechnical reasons that Yahoo took so long to discover the hack could include frequent changes in leadership of its security team and the companywide stress of finding a buyer.
Notifying the public
Once a company has learned it has been hacked, it’s important to tell customers – and the public – so that people can take proper measures to protect their information, privacy and identities.
At present there is no federal law regarding when companies must tell the public about information security breaches. In 2015, Democrats proposed giving firms 30 days from discovering a hack to announcing it had happened. That effort failed because many states, which have varying requirements, have stricter standards that the federal law would have overruled.
Recovering a corporate reputation
Tech companies can typically recover quickly from data breaches – if they respond fast and take the necessary steps to notify their users. That’s true even for corporations whose data breaches resulted in the compromise of customers’ credit card information, such as Target in 2013 and Home Depot in 2014.
Lawsuits filed after the breaches have cost companies millions in settlement costs, not to mention legal fees and lost business. The lesson is clear: Early disclosure of a data breach is better. If Yahoo knew about its hack as early as August – or even years ago – and took this long to announce it to the public, the company has manifestly betrayed its users’ trust.
Though Yahoo urged users to change their passwords and security questions after the public disclosure of the security breach, thousands of users took to social media to express anger that it had taken the company two years to uncover the data breach. The lawsuits filed against Yahoo are mounting.
It can be extremely difficult for companies, even tech-focused ones like Yahoo, to protect themselves from skilled and determined hackers. But not reporting the attack as soon as it’s suspected can be almost as damaging as the hack itself.
Live Science newsletter
Stay up to date on the latest science news by signing up for our Essentials newsletter.