Online security after the Yahoo hack: How safe is your data?
The data breach at Yahoo has left half a billion people around the world in panic about the safety of their online data. But can consumers, especially in Germany and Europe, do anything protect themselves from attacks?
To save articles or get newsletters, alerts or recommendations – all free.
Don’t have an account yet?
Create an account »
Subscribed through iTunes and need an NYTimes.com account?
Learn more »
Need to connect your Home Delivery subscription to NYTimes.com?
Link your subscription »
Far from running into millions, the average cost of a data breach is less than $200,000, or roughly what firms are spending on IT security systems, according to a study from non-profit thinktank RAND.
The study, published in the Journal of Cybersecurity, challenges the much higher cost estimates provided by the Ponemon Institute. This year that research organization put the average cost of a breach at $4m.
Graeme Hackland, IT director at Williams Martini Racing and Williams Advanced Engineering, tells ZDNet how the organisation works to avoid the nightmare scenario of getting hacked.
RAND policy researcher Sasha Romanosky analyzed 12,000 events between 2004 and 2015 and found that the cost to each firm was on average less than $200,000. This figure is on a par with the 0.4 percent of revenues that firms in the study spent annually on IT security.
“We find that the typical cost of a data breach is less than $200,000, far lower than the millions of dollars often cited in surveys, eg, Ponemon 2015. Moreover, we find that cyber incidents cost firms only 0.4 percent of their annual revenues, much lower than retail shrinkage of 1.3 percent, online fraud, 0.9 percent, and overall rates of corruption, financial misstatements, and billing fraud, five percent,” the author said.
In other words, the low direct costs of remediating a breach appear to offer little incentive for firms to spend more than they do currently. That situation goes some way to explaining why governments see the need for laws such as Europe’s new data-protection regulation, which threatens firms with fines of up to €20m or four percent of global annual revenues.
In the US context, Romanosky wanted to find out whether, with the NIST’s cybersecurity framework signed by president Obama in 2013, firms will voluntarily improve security controls.
Romanosky sourced data for the study from Advien, a US insurance analytics firm that sells data to insurance companies and has a database of 300,000 incidents.
He also found that credit-card numbers and medical information were the most commonly compromised information, while malicious incidents accounted for 60 percent of all incidents. Meanwhile, 1,700 incidents resulted in legal action, with half brought by civil suits and 17 percent through criminal prosecutions.
Romanosky’s findings are consistent with a recent analysis of the remediation costs of several high-profile data breaches in the US, including those against Sony, Target, and Home Depot. Each company’s costs ran into tens of millions of dollars, but amounted to less than one percent of their respective annual revenues.
However, some breaches are relatively expensive. The breach of UK ISP TalkTalk, which was caused by a simple coding error, cost the firm £60m, which amounted to three percent of its 2016 revenues. Its breach prompted recent calls for CEOs to face pay cuts where lax security is found.
The author of that analysis, New York-based political economist Benjamin Dean, concluded that firms have little incentive to invest in security because others bear the costs of risks they take.
For example, credit unions claimed it cost $60m to replace cards exposed in the Home Depot breach, which was more than Home Depot’s final remediation cost even before insurance payouts.
Romanosky isn’t certain whether there are sufficient incentives to invest more in data security. He speculates that the cyber insurance industry may be “driving a de facto national cybersecurity practice across insureds”, but he hasn’t found evidence that firms are responding by investing in cybersecurity.
However, with breach costs so low, he believes it will be difficult to convince firms to voluntarily adopt the US NIST’s cybersecurity framework.
Read more on security
- Krebs on Security booted off Akamai network after DDoS attack proves pricey
- Cybersecurity accelerator gives startups the chance to work with GCHQ spy agency
- Google Safe Browsing beats rivals but still only flags up 10 percent of hacked sites
- Drupal patches multiple security flaws in core engine
- IBM lambasted by ABS for failing to handle Census DDoS
- TechRepublic: Report: The top 6 industries hit by ransomware
- CNET: How to find out if you’re at risk in Yahoo hack
Two San Diego residents have filed a class-action complaint against Yahoo following a data breach that compromised 500 million accounts.
The complaint was filed Thursday in U.S. District in San Diego by local attorney David Casey on behalf of Jennifer Myers and Paul Dugas. It came on the same day the email provider confirmed the massive security breakdown that dates back to late 2014.
In the complaint, the plaintiffs allege their private information was compromised. The complaint accuses Yahoo of “deceptive practices” and “negligence,” alleging the tech company did not take reasonable care to prevent the hack.
The complaint states that “damage caused by identity theft in general registers in the billions of dollars.”
“The type of information compromised in this data breach is highly valuable to perpetrators of identity theft,” the complaint states. “Names, email addresses, telephone numbers, dates of birth, passwords and security question answers can all be used to gain access to a variety of existing accounts and websites.”
The complaint seeks an unspecified amount of damages to be determined at a jury trial.
“They’re really angry this wasn’t found out sooner,” the plaintiff’s attorney David Casey told NBC 7. “For it to have occurred and then for it not to be discovered for a two-year period is pretty outrageous.”
Yahoo says it has more than 1 billion monthly users, although it hasn’t disclosed how many of those people have email accounts. In July, 161 million people worldwide used Yahoo email on personal computers, a 30 percent decline from the same time in 2014, according to the latest data from the research firm comScore.
The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards.
Yahoo told NBC 7 “We don’t comment on ongoing litigation.”
To read the full complaint, go here.
While one annual industry report puts the cost of the average cyber-incident at $1 million, an analysis of insurance data puts damages much lower—at about $200,000.
Companies that spend little on security workers and technologies may not be acting irresponsibly, but making rational choices, because the cost of the average cyber-security incident is much less than previously estimated, according to research released this week by the RAND Corp.
The analysis found that the average incident costs companies about $200,000, much less than $1.0 million—the average cost of a cyber-criminal event as estimated using data from the annual Cost of Cybercrime report conducted by the Ponemon Institute.
Those losses only amount to 0.4 percent of annual revenues, costing companies far less than the annual costs of retail shrinkage at 1.3 percent and online fraud at 0.9 percent, Sasha Romanosky, a policy researcher with RAND and the author of a paper on the analysis, told eWEEK.
“That is telling and it’s important, because if the losses were really high, then that would be a strong incentive for the company to adopt more security and improve their practices,” he said.
The data for the analysis was provided by for-profit insurance information firm Advisen, which collects data on a variety of incidents and their eventual insurance payouts. Romanosky analyzed 12,000 cyber-security incidents over a decade.
But despite this report’s findings, some large enterprises are getting hit with painfully big losses that show why some companies need to invest in strong cyber-security measures.
Target’s 2013 breach involving the credit-card and personal information of 70 million customers cost the company at least $291 million as of May, damages that eventually may exceed $370 million. On Sept. 22, Yahoo acknowledged that attackers may have made off with the log-in credentials of some 500 million customers.
While large breaches make headlines, the vast majority of cyber-crime incidents are much smaller and cost far less. How much is still a large question mark. Researchers and statisticians have trouble quantifying the damage.
The averages vary from a median of $200,000 per incident for Romanosky’s analysis to an annual total of $5.5 million in the Ponemon Institute report and a stunning $150 million as calculated by Deloitte Touche in a recent paper seeking to take into account more “soft” costs, such as increases to insurance premiums, costs of operational disruptions, lost customers, loss of intellectual property and the loss of brand value.
Such soft costs are hard to quantify, however, so Romanosky used only documented costs, he said.
“We cannot deal with reputation and brand; we don’t look at stock market price and revenue,” he said. “We are not measuring any externalities or any chilling effects that may occur. We are trying to stay focused on the firm stuff.”
In addition to the hard-to-quantify costs, the difference between the cost estimates of the Ponemon Institute and the Advisen data set could arise from differences in data sets. The median company in the Ponemon data set is between 5,000 and 10,000 employees.
Yet, without massive and widespread losses, companies will likely continue to make security investments a lower priority, Romanosky said.
“They will keep doing what they are doing, unless something big happens,” he said. “You have to really suffer a personal loss and then feel the impact and feel personal change to change your behavior.”
While there has been much talk since yesterday’s announcement by Yahoo that half a billion accounts’ worth of private information had been pilfered by hackers – and the usual post breach advice (change your password, don’t reuse your password on multiple sites, etc.) has circulated throughout the media, there are several critical lessons that are not getting sufficient attention, but which are of paramount importance to both businesses and consumers.
1. Do not use challenge questions for authentication
In its official statement, Yahoo noted that it “invalidated unencrypted security questions and answers so they cannot be used to access an account” and recommended to impacted parties to “Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.”
Simple enough, right?
No. In many cases, it’s effectively impossible.
You cannot reset your mother’s maiden name. You cannot move your mother’s birthday to a new date. And you cannot retroactively change the color of your first car, or the location at which you first met your spouse. Yes, people can memorize and utilize phony answers to such questions – but doing so simply transforms the challenge question into a demand for a second password, and, especially if you have to change that “password” more than once in response to multiple breaches, any remembrance benefit of asking a question over a password disappears.
Challenge questions are usually extremely weak forms of authentication that are problematic for many reasons. Let’s hope the Yahoo breach serves as the catalyst for more firms to get rid of them.
Igor Baikalov, Chief Scientist at Securonix, mentioned a similar thought to me: “From the user perspective, the biggest problem is unencrypted security questions and answers lost in this breach – while you can easily change that constantly compromised password, how many favorite pets can you possibly have?”
2. After-breach statements – often written with the assistance of crisis management and public relations experts – continue to downplay the risk to people of breaches.
Yahoo noted in its release that the passwords that were stolen were “hashed passwords (the vast majority with bcrypt)” without explaining in layman’s teams what that means or that, even with hashing, users are at risk of their passwords being cracked — especially since the hackers have likely had the Yahoo data for nearly two years. As Michael Lipinski, CISO and Chief Security Strategist at Securonix, put it, “The Yahoo team looks to be trying to deflect the risk to users by saying that passwords were hashed using bcrypt. Ask them how that worked out for Ashley Madison. They used the same salt hash and the hackers found a work around to the brute force methods of cracking the password.”
Of course, organizations can take precautions to reduce the risk of brute force password cracking in the event of a password-database breach. As Amichai Shulman, CTO of Imperva, worded it: “To prevent brute force attacks, security officers should not rely on only password policies , but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treating with caution logins from unexpected countries and anonymous sources, and comparing login data to popular passwords and stolen credentials.” That said, defenses against brute force attacks are not totally bullet proof, and people need to understand that hashed password leaks are a real problem.
3. Criminals – and even state actors – want people’s private information.
As I mentioned in an article earlier this week, today’s hackers are often more interested in stealing data than stealing a few dollars from peoples’ checking accounts. People need to understand this and take personal precautions with their own computer systems.
As Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire explained, “It can be difficult for the average consumer to understand why personal data is valuable to criminals, especially since the initial reports rarely go deeper than the price the initial attacker can get for such records. Personal information, like names, email addresses, and birth dates, are most often used for either phishing campaigns or identity theft.”
Jonathan Sander, Vice President of Product Strategy at Lieberman Software, noted that the Yahoo breach was apparently committed by “a state level actor, which isn’t surprising the amount of effort and resources it likely took to break security at one of the Internet’s biggest names.”
Yes, governments are interested in knowing people’s private information; armed with such data, governments can find good recruitment targets for their espionage programs, blackmail people in order to force them to perform various actions, discover which foreign government workers may be careless with information security, and achieve other aims.
So, with 500 million accounts breached, we should focus on more than once again simply resetting passwords.
Network equipment vendors that are focusing on security in the data center and cloud may be ahead of the curve. Case in point: Yahoo revealed yesterday that 500 million of its accounts were compromised in 2014. The unknown culprit gained information about Yahoo users’ names, email addresses, telephone numbers, dates of birth, and answers to security questions.
A cybersecurity analyst at Flashpoint says it was a database breach across all Yahoo integrations, including clouds. Further, Yahoo blames the breach on “state-sponsored” actors, and Vitali Kremez, the cyber intelligence senior analyst we spoke to at Flashpoint, agrees.
He bases that determination on the fact that even though the breach occurred in 2014, the stolen data had not surfaced in any dark marketplace, until possibly in August 2016. “The motive is likely not financial, says Kremez. “It’s likely to be espionage.”
Asked if Yahoo could have done anything to prevent this, Kremez says the search engine company probably adhered to general security practices such as having a dedicated security team, maintaining a robust patch management system, reviewing logs, and isolating its databases.
But the breach is so egregious, Kremez says, “It’s almost like they stole the grand piano from the house while the family was home.” The breach probably derived from “a single point of failure,” he says. If a company stores all its data in one location, “it becomes a treasure box for criminals.”
Companies that practice superior cyber hygiene separate data for each user, spreading it across data center assets. That way, if a culprit obtains some information, such as names and emails, he doesn’t also obtain the security answers.
Eric Chui, president of HyTrust, a company that does workload security, says 500 million records is such a huge amount of data that it could only be stolen if someone had access on Yahoo’s network with admin credentials. Hackers gain this access by using “social engineering” to trick employees into providing network information. Or they gain access by using malware.
“Given the amount of data, the attacker was on the network for a significant amount of time,” says Chui.
Why Didn’t Yahoo Encrypt?
Chui says companies should encrypt their data. That way, even if the data is stolen, it’s useless.
Yahoo’s data centers would be part of its private cloud. But Chui says, “There’s a juxtaposition about how they’re concerned with security, but the priorities and monies aren’t being spent accordingly.”
Both Chui and Kremez agree that companies don’t take available security precautions because they cost money and don’t bring in revenue.
However, the New York Times reported that the cost to remediate a data breach is $221 per stolen record. So in Yahoo’s case, that would top its $4.8 billion sales price to Verizon. And this breach might even jeopardize the sale.
What do state-sponsored actors do with identifying data from 500 million accounts if they’re not selling them? Kremez says they cull the data to exploit high-value individuals such as C-level executives and politicians — impersonating them, harvesting their personal information, and orchestrating further attacks.
And when they’re done with an account, they might sell it on the dark market.
style=”” class=” js no-touch history csstransforms csstransforms3d csstransitions video” lang=”en”<!– <!– <Attribute name="Caption" value="
WDFW licensing system.
The state said it knew the system was vulnerable to attack.
The state said it knew the system was vulnerable to attack.
Washington Department of Fish and Wildlife customers will soon find a letter in their mail about a recent data breach.
The security failure compromised more than 2 million customers, and WDFW officials say they knew the online system had vulnerabilities. The hacker obtained the name, address, date of birth, and driver’s license number of anyone with a profile created prior to July 2006.
Soon after reporting his or her own crime, the hacker began bragging that vendor ActiveOutdoor Networks was hacked before by a “kiddiot,” but the company “didn’t take the time to fix a much more serious error.”
“I’m more angry that he has my customers’ data than I am that he’s bragging about it,” said WDFW Licensing Division Manager Peter Vernie. “I don’t want my customers to be exposed this way.”
Vernie said the state tried for years to find a new software vendor, but budget and other issues stood in the way.
“It was just one more thing on top of the pie we deal with everyday. It wasn’t too surprising but it was disappointing,” said Dan Stauffer, who sells licenses at Ed’s Surplus and Marine in Lynnwood.
Stauffer said the hacker only hurt business a little bit, but he was already fed up.
WDFW admits the system is 10 years old and in need of serious upgrades.
“It’s old, and it’s been obsolete for a number of years, held together with spit, baling wire and string,” Stauffer said.
The state will go live with a new company later this year, but still hasn’t activated online license sales. Letters alerting compromised customers should arrive in the mail as early as Thursday.
“He’s saying he has over 6 million profiles from these three states that he was able to capture, so I think he’s really trying to develop some street cred out there,” Vernie said. “We took this really seriously. I think we took it more seriously than any other incident we’ve seen.”
Copyright 2016 KING
Four people dead in Cascade Mall shooting in Burlington
Wife releases cell phone video showing fatal police…
Mariners suspend Steve Clevenger after tweeting…
Foot Locker has totally transformed its flagship in Manhattan’s Herald Square, with in-store shops, state-of-the-art digital imagery, sleek materials and a new layout. More…
Yahoo! Inc. is being accused in lawsuits of failing to secure customer data after the company said the personal information of at least 500 million users was stolen in a 2014 hack.
As a result of the company’s “failure to establish and implement basic data security protocols, contrary to Yahoo’s guarantees, its users’ personal information is now in the hands of criminals and/or enemies of the U.S.,” according to the latest complaint, filed Friday in federal court in San Jose, California.
The case was filed by a New York resident and seeks class-action status on behalf of other Yahoo users. Similar cases have been filed in Illinois and San Diego.
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon Communications Inc., set to close by early next year. Mayer, who has dealt with difficulties and complaints about Yahoo’s e-mail service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
Yahoo spokesman Charles Stewart declined to comment on the San Jose complaint.
Plaintiff Ronald Schwartz is asking the court to require Yahoo to compensate users for any damages resulting from fraud and to pay for measures to identify and safeguard compromised accounts.
Schwartz slammed Yahoo for failing to discover the data breach until a few
“Defendant’s misconduct was so bad that it evidently allowed unauthorized and malicious access to plaintiff’s and the class’s personal information on defendant’s computer systems to continue unimpeded for nearly two years,” according to the complaint.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate theft of payment card data or bank account information, or unprotected passwords, the company said. Affected users are being notified, accounts are being secured, and there’s no evidence the attacker is still in the network, Yahoo also said.
The case is Schwartz v. Yahoo! Inc., 5:16-cv-05456, U.S. District Court, Northern District of California (San Jose).