Yahoo confirmed a huge data breach took place in 2014 affecting up to 500 million users on Thursday. In August, the company said it was investigating a possible breach after a hacker claiming to have stolen the account information posted 200 million Yahoo user accounts for sale on dark web marketplace The Real Deal. The account information — which purportedly included user names and passwords easily cracked with free tools available online — was listed for 3 Bitcoin, or roughly $1800.
Such a low asking price is indicative of an older breach, said Security Scorecard chief research officer Alex Heid. It is likely that the hacker or hackers behind the attack has already tried to use the information to hack into other services — such as bank accounts, PayPal accounts, email services, even Netflix — and erased a lot of the value, said Heid.
Yahoo is already drawing criticism for not acting quickly enough to notify users of the breach, which could have larger implications on the $4.8 billion sale of the core business to Verizon. Cybersecurity experts agree that responding quickly to a breach is key to mitigating the impact. If you think you may be among the possible millions of victims of the breach, here are the five steps you should take.
The big question is whether Yahoo has accurately quantified the liability to Verizon, said Dimitri Sirota chief executive officer of cybersecurity firm BigID which helps companies track data within their systems.
It is not uncommon for companies not to reveal the extent of a breach prior to a thorough forensic investigation, he said. Confirmation that a breach took place is unlikely to derail the Verizon deal, he said. That said, class action lawsuits from customers and security suits from investors are not uncommon in these types of situations.
"A lot of this will depend on the severity of the breach and how current it is," he said. "I suspect there will be some fallout."
Here are the five steps experts say every company should take following a breach.
1) Respond quickly
"It's all about speed," said Wendi Whitmore, IBM director of incident response and intelligence services.
How fast a company can detect and respond to a breach greatly impacts their recovery time, she said. Organizations which complete a post-mortem within 30 days save an average of $1 million, according to the IBM and Ponemon Institute cost of a data breach study.
"Every day it goes undetected, unchecked, that's going to escalate damage," said Experian vice president of Fraud & Identity product strategy Matt Ehrlich
2) Have a plan in place
Ideally, a company should already have a response plan in place in the event that a breach takes place. The response plan should engage three key teams: An incidence response team, a crisis communications firm, and outside counsel — a legal firm focused on computer security and cyber law, said Whitmore.
"Make sure you have contracts that specify how quickly these organizations will provide support and response time, so you aren't negotiating when you have had a breach," she said. "As the organization, you have a lot more leverage in negotiating if you're doing it proactively —the rates are less and they will agree to time frames."
By getting all the legal and procurement done ahead of time, companies can save days in the event of a breach.
"Days make a huge difference when responding to a breach," she said.
3) Be prepared to access the data for investigators
An investigative response team will need access to a company's network and host and any threat detection and logging tools the company employs. Healthcare and retail companies need to notify consumers as soon as possible.
"The more time it takes them to identify that and get to the bottom of it, the more its costs them," said Whitmore.
4) Be ready to do damage control
Typically, the investigation and remediation go hand in hand, said Whitmore. The remediation process should be tactical and strategic — a company may need to ask users to reset account information — which often has a knock on effect on operations.
5) Have a crisis communications plan for employees, customers and the media
Once a company confirms a breach has taken place, depending on the industry, it may be legally required to inform people — the requirements vary from state to state, country to country, and depend on industry, regulation and compliance laws, and the type of information breached.
"This is one reason why it is so important to hire outside legal counsel and an IR firm well versed in these requirements," said Whitmore.
When communicating about the breach with employees, customers and the media, it is important not to overreact and reveal too much information, too soon, said Ehrlich. All communication should be factual and straight forward — a strategy that is more likely to make your customers empathetic.
"You need to have all the facts and information — acting without those can be as damaging as doing nothing," said Ehrlich
Something that often gets overlooked is an internal communications plan, said Whitmore. Once the news of a breach leaks out, employees often start to field a lot of questions. Having a law firm and crisis communications firm develop a crisis communications plan in advance is a good idea. Employee training is also important, and can be worked out before a breach ever happens.
"Imagine the worst case scenario — an intern tweets screenshot of something happening on you network," said Whitmore. "Make sure employees know wait they can and can't say and are trained and aware of what the corporate communications policies are."
The key takeaway: Take care of your crown jewels
"Personal data is the life-blood of most organizations, and they need to better safeguard it against misuse and theft," said Sirota.