The Yahoo Data Breach: A Wake Up Call for Individuals and Businesses
Do you Yahoo? Even if you have never had a Yahoo email account, the news that hackers breached Yahoo’s security infrastructure and stole personal and security information connected to up to one billion accounts should cause you to stand up and take notice.
While the Yahoo breach is the largest known breach to date, countless other companies, groups and institutions have had their networks breached and their data stolen by cybercriminals.
Whether you are concerned with protecting your personal information and financial assets or if you are a CEO responsible for protecting the data of a major corporation, you need to understand the growing threat presented by data breaches and learn the steps you need to take to protect yourself from past and future attacks.
The Largest Data Breach in History
On September 22, 2016, Yahoo announced that hackers had compromised their security systems and gained access to private information related to 500 million user accounts. While subsequent analysis has suggested that the figure of compromised accounts may rise to a staggering one billion, the type of information obtained is also of deep concern.
Among the information stolen were email addresses, physical addresses, birthdate information, telephone numbers, security questions and answers, and hashed passwords. As a group of concerned United States senators wrote after being notified of the breach, “This is highly sensitive, personal information that hackers can use not only to access Yahoo customer accounts, but also potentially to gain access to any other account or service that users access with similar login or personal information, including bank information and social media profiles.”
One Among Many: This History of Data Breaches
You may be breathing a sigh of relief if you have never had a Yahoo account. Think again. The Yahoo breach is only the latest in a series of massive data breaches that have affected individuals and businesses for more than a decade. The following is a list of some of the other major breaches that have occurred:
- TK/TJ Maxx: 94 million records (2007)
- Sony PlayStation Network: 77 million records (2010)
- Sony Online Entertainment: 24.6 million records (2011)
- Evernote: 50 million records (2013)
- MySpace: 360 million records (2013)
- Living Social: 50 million records (2013)
- Target: 70 million records (2013)
- Ebay: 145 million records (2014)
- Home Depot: 56 million records (2014)
- JP Morgan Chase: (2014)
- Anthem: 80 million records (2015)
Even more troubling, the above list represents only a tiny percentage of the data breaches that have occurred in the past decade. Experts have calculated that over 4500 data breaches have occurred since 2005, and a study by Verizon found over 2100 data breaches affecting in excess of 700 million records in 2014 alone! As this data clearly demonstrates, whether you have a Yahoo account or not, if you venture onto the Internet, have a bank account or use your credit card, you are at risk of having your information stolen.
How Do Data Breaches Impact Individuals?
Data breaches, such as the one that occurred at Yahoo, can have a devastating effect on individuals. Once a cybercriminal gains access to the password used by an individual to access any given account, that password can then be used by the cybercriminal to access other accounts that use the same username and password combination. How is this possible? It occurs because many people use the same username and password combination to access multiple accounts. This allows cybercriminals to use a technique called credential stuffing to search for and access other accounts that use the same username and password, rendering all of the individual’s accounts vulnerable to compromise and illegal access.
Personal information obtained in a data breach can also be used to design targeted phishing attacks. Once a cybercriminal gains access to private personal information such as email addresses, physical addresses and telephone numbers, they can create phishing emails that are more difficult to distinguish from authentic emails.
This greatly increases the risk that such crimes will succeed by deceiving individuals into disclosing valuable personal and financial information, such as credit card numbers while increasing their potential exposure to viruses, trojans and other malware. Another danger for individuals occurs when security questions and answers are compromised. Many individuals use the same information for security questions and answers on multiple accounts.
Have you ever considered how many times you have used your mother’s maiden name or the name of the street you grew up on as the answer to a security question? Once such information is compromised, all of your accounts may be vulnerable.
As frightening as all of the above scenarios can be, there could be an even darker side to finding yourself the victim of a data breech. Even if you don’t fall victim to a cybercriminal yourself, your friends and loved ones might be at risk. Usman Choudhary, Chief Product Officer at ThreatTrack Security, notes, “our friends and family on social networks are also at risk if cybercriminals use our information and identity to compromise others.”
How Do Data Breaches Impact Businesses?
Falling victim to a data breach can have major impacts on any business. Once customer information has been compromised, it can be difficult for a company to regain consumer trust.
A survey by FireEye found that 76 percent of those questioned would “move away from companies with a high record of data breaches.” Another survey found that 30 percent of those who responded “will change suppliers if the company they are using becomes a victim of cyberattack” and that 28 percent “would also never consider using an organization if it had been previously reported as a victim.”
Simply losing current or new customers may be only one of the many difficulties a compromised company may face. Lawsuits targeting companies involved in data breaches are a frequent occurrence. Companies such as Home Depot, Target, Sony, and LinkedIn have been the subject of data breach lawsuits. As might be expected after the revelation of the recent data breach, Yahoo has already become the target of a class action lawsuit.
The Yahoo case provides another stark example of one the dangers of a data breach to a business. Experts have questioned whether the recent data breach might have negative consequences for the pending merger of Yahoo and Verizon. Telecommunications industry analyst Jeff Kegan notes, “The dark cloud this casts will be very long and will likely impact the merger agreement. We’ll just have to wait and see what happens next.”
How Can You Protect Yourself?
There are a number of steps you can take to protect yourself from becoming the victim of a crime resulting from a data breach. First and foremost, you must maintain good password discipline. Never use the same password twice, use complex passwords that are difficult to guess, and change your passwords often.
It is important that you change your passwords frequently, as organizations often take a long time to discover that a data breach has occurred and then additional time can pass before the individuals effected are notified. For example, the recent data breach at Yahoo occurred in 2014. Change your passwords proactively, and do not assume that a breached organization will tell you to change your password in a timely fashion.
There are additional important actions you can take to protect yourself. Enabling two-factor authentication for your accounts can provide an important additional layer of security. You should also use a service, such as the website haveibeenpwned.com, to check to see if any of your accounts have been compromised.
Data breaches are a growing threat to both individuals and businesses. You can protect yourself, but the changing nature of cybercrime and related technologies makes constant vigilance important. Staying one step ahead of the cybercriminals may not be easy, but doing so is a growing necessity that can no longer be safely ignored.
Were you affected by the recent breach? Do you know anyone who was? Do you think breaches like these will ever stop? Please let us know your thoughts and leave a comment below.