Free Essay on Yahoo Data Breaches: Causes, Challenges, and Impact of Cyber-Attacks

Introduction

The late 2014 and the August 2013 Yahoo data breaches were the greatest cyber-attacks in history, which affected over 500 million and one billion users, respectively (Trautman & Ormerod, 2016). Yahoo's disclosure of the attacks in 2016 dropped its market value from over 100 billion to 4.8 billion U.S. dollars when negotiating its sale to Verizon (Dilipraj, 2016). Moreover, the hackers acquired Yahoo users' confidential information, such as email accounts, telephone numbers, and encrypted passwords (Dilipraj, 2016). Consequently, the data breaches put Yahoo users at risk of financial losses, which ruined the company's reputation and integrity in securing its users' information. Technological advancements have transformed e-commerce, making consumers' data valuable; thus, hackers view digitalized companies as potential targets for financial benefits. Nonetheless, Organizations must prevent, monitor, and disclose data breaches to minimize the cost and impacts of cyber-attacks. In this paper, the study reviews articles on Yahoo data breaches to elaborate on the causes, challenges, and impact of cyber-attacks on digital organizations and their users.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Literature Review

In 1944, Jerry Yang and David Filo founded Yahoo in Sunnyvale, California, "as a guide in digital information discovery, focused on informing, connecting, and entertaining users through search, communication, and digital content products" (Trautman & Ormerod, 2016, p. 1249). Through web portals, search engines, and other related services, Yahoo provided users with personalized experiences on global matters either on phones or PCs (Trautman & Ormerod, 2016). However, like any e-commerce website, the company faced significant competition and risk factors from other organizations, for instance, a data breach, which is the "intentional or inadvertent exposure of confidential information to unauthorized parties" (Cheng et al., 2017, p. 1). In the technology era, data has become a vital component of e-commerce; thus, its value is increasing exponentially. Consequently, data breaches are frequently happening as hackers attempt to acquire valuable confidential information. Therefore, digital organizations have to invest in security systems that detect and prevent data loss. The Juniper Research forecast estimated the global annual cost of data breaches to hit 2.1 trillion dollars by 2019 because of the rapid digitalization of modern lives (Cheng et al., 2017).

In most cases, internal parties are responsible for data leaks either intentionally (theft and sabotage) or inadvertently (accidental disclosure). A recent Intel Security study revealed that 43% of data breaches are due to internal employees (Cheng et al., 2017). In other cases, competitor organizations employ third parties (freelance hackers) to access information illegally for their benefit. Moreover, other factors such as corporate espionage, poor business management, and failure to implement preventive technologies and security policies motivate external cyber-attacks (Cheng et al., 2017).

Hackers rely on underground market tools to execute cyber-attacks on digital organizations. Some of the protocols used in data breaches include the following. Programmers' credentials leak in online services due to exposed weak password policies like plaintext or unsalted password hashes, bcrypt, salted SHA-1, and symmetrically encrypted passwords (Thomas et al., 2017). Individuals can also plant phishing kits that deploy packages to configure targeted content and have built-in support for reporting the stolen data (Thomas et al., 2017). Furthermore, Hackers can utilize keyloggers like HawkEye and Predator Pain that have built-in functionality to steal device passcodes, and clipboard content, and even screenshot the user's activities (Thomas et al., 2017). Through malicious malware in paste websites and email cookies, an individual can implement these tools to acquire unauthorized data and information.

Methodology

The paper will analyze Yahoo's preparedness to prevent potential cyber-attacks and data breaches. A review of the implemented security policies provides insight into Yahoo's integrity in securing its users' data. Moreover, an overview of Yahoo's response to the late 2014 and August 2013 breaches reveals the company's commitment to prevent, monitor, and disclose cyber-attacks. Finally, the study evaluates the overall impacts on the organization's reputation and the cost of the data breaches.

Result and Discussion

Yahoo announced the late 2014 breach on 22nd September 2016 (Trautman & Ormerod, 2016). In its statement, Yahoo claimed that hackers compromised users' information, including names, telephone numbers, addresses, birth dates, passwords, and some security questions (Trautman & Ormerod, 2016). A later Yahoo report revealed that a "state-sponsored actor" was responsible for the breach (Trautman & Ormerod, 2016, p. 1262). According to news headlines in March 2017, the U.S Department of Justice indicted two Russian intelligence officers for "directing a sweeping criminal conspiracy" to hack Yahoo and steal confidential information for more than 500 million users in 2014 (Trautman & Ormerod, 2016, p. 1262). In another statement on 14th December 2016, Yahoo disclosed on the earlier August 2013 breach that exposed more than one billion accounts (Trautman & Ormerod, 2016). The report raised concern on how an internet giant like Yahoo could suffer two of the biggest cyber-attacks in history without their knowledge in real-time. Many Yahoo executives became aware of the breaches later on after 200 million Yahoo users' data was put on sale in the deep web in August 2016 (Dilipraj, 2016). According to internal reports, Ms. Marissa Mayer, CEO of Yahoo, was aware of the breaches in July 2016 but delayed disclosing the attacks to protect the company's reputation (Dilipraj, 2016).

A previous news article from the New York Times revealed that Ms. Mayer denied the Yahoo security team's financial resources and canceled proactive security defenses like intrusion detection mechanisms (Dilipraj, 2016). The weak security system was always vulnerable to frequent cyber-attacks. Individuals with malicious intent were motivated and targeted by Yahoo due to the lack of active preventive measures that detect and stop data breaches. Thus, hackers managed to execute the two attacks successfully using underground market tools embedded in email cookies. The malicious malware masked as Yahoo email cookies made it difficult to detect; hence, it collected and reported stolen confidential data over time without Yahoo's knowledge. Yahoo failed to match its biggest competitors in e-commerce and web advertising, such as Google and Facebook, which invested hundreds of millions of dollars in cyber-security to protect its users' data. Consequently, it suffered two data breaches that destroyed its reputation and led to financial losses.

Another exclusive report from Reuters News Agency on 4th October 2016, exposed that Yahoo developed a custom program to search all its users' incoming emails for specific information provided by U.S. intelligence organizations (Dilipraj, 2016). Yahoo scanned hundreds of millions of email accounts for the NSA and FBI following a classified U.S. government demand in 2015 (Dilipraj, 2016). Due to the directive, Yahoo kept the program a secret from the security team. The development of a classified program that accessed all user accounts presented individuals with malicious intent like corporate espionage, an opportunity to gain unauthorized data. Internal personnel with knowledge of the software could abuse their power and the confidentiality of the organization to access private information without the security team detecting the breach. Yahoo's uninvolving the security department in the system changes meant no defenses were in place for the specific upgrade making the organization more vulnerable. Moreover, internal reports suggested that Ms. Mayer asked the security team to stay quiet after detecting the classified program (Dilipraj, 2016). The actions proved Yahoo's lack of integrity in safeguarding its users' information.

Recommendations

Yahoo's negligence in investing in new technologies and security policies decreased its market value and annual revenues due to its awful reputation among digital organizations. Moreover, the U.S. justice system pushed the company to compensate its users for the loss of their confidential data and information. One can argue the rise of big data creates numerous security challenges that are difficult to combat without finances. Factors like scalability, accuracy, and timeliness of preventive measures while maintaining users' privacy are vital in setting up the most effective security policies. Nonetheless, Yahoo failed to protect and respond to the two data breaches.

Digital organizations must prevent, monitor, and disclose any cyber-attacks that may lead to users' data breaches. In 2010, Chinese military hackers breached Silicon Valley technology corporations, including Google and Yahoo (Trautman & Ormerod, 2016). The Google team responded with investment in cyber-security engineers to protect its data fidelity. In contrast, Yahoo's response was reluctant, making the organization a target for hackers. The Yahoo corporation, led by Ms. Mayer, should have invested consistently in cyber-attack defenses and implemented necessary security policies that ensure the integrity of users' data, for example, compensating hackers for informing the organization on digital vulnerabilities. Throughout her reign as CEO, Ms. Mayer clashed with the CISO, Mr. Alex Santos, who questioned Yahoo's commitment to securing data fidelity. Mr. Santos's suggestion to adapt end-to-end encryption for Yahoo's digital infrastructure could have prevented unauthorized access to users' accounts (Trautman & Ormerod, 2016). Moreover, a well-organized structure would have motivated all departments to work together in providing the best customer services, including securing their data and information.

The late 2014 and August 2013 data breaches revealed Yahoo's weak monitoring protocols responsible for identifying and preventing cyber-attacks. Various news reports suggested that only a few employees were aware of the 2014 breach in real time (Trautman & Ormerod, 2016). The organization should have incorporated a new system that engages users frequently in security verification steps for authentication. Upon detection of a hacking attempt, Yahoo could have implemented a standard security protocol that automatically reset all passwords. Furthermore, the conduct of Yahoo's senior management in response to disclosing the cyber-attacks was slow. The company should have reported the data breaches sooner to reduce the financial cost and impact on users. A change in Yahoo’s management practices could ensure the efficient implementation of technologies and security policies that prevent cyber-attacks.

Limitations

The study lacked comprehensive articles on the data breaches due to limited access to Yahoo's internal reports. Many news articles published scandalous opinions to increase their media ratings; thus, the sources lacked credibility. Moreover, there are no statements from the responsible hackers to provide insight into the tools utilized in the two breaches. Yahoo, as an organization, felt responsible for protecting its reputation and its staff, thus withheld vital information.