What Fight Club Doesn’t Teach Us About the Yahoo! Breach

Calculator

Unless you’ve been stranded on a desert island for the past two days, you’ve likely heard about the record breaking Yahoo! Breach involving the theft of a half a billion user credentials.

A key fact is that the breach being announced didn’t take place this year, or last. By some accounts, it was part of an intrusion in late 2014, or perhaps as far back as 2012, as a cybercriminal that goes by the name Peace claimed.

Just the other week we blogged about the Concerning Case of the Underestimated MegaBreaches, listing the growing trend of large companies who were announcing that previous disclosures of breaches from as far back as 2012 were now much larger than thought. Companies updating breach numbers included LinkedInDropboxRambler.rulast.fm, and more.

One commenter on our previous blog asked, “just what is it that’s exposing these multi-year old hacks now?” Nobody can say for sure, but Imperva founder and CTO Amichai Shulman believes that it’s at least partially due to hackers getting better at covering their tracks. One of the primary objectives of professional hackers is to remain undetected. This enables them to continue to reside in your network, map out your organization’s computing resources, discover where the valuable data is stored, and exfiltrate or send that data out of the network. The longer they remain undetected, the more they can steal. Apparently, the full scope of breaches can only be determined over time.

The real question here for Yahoo! and other organizations trying to determine if their security posture is sufficient is what’s the cost of getting breached? An article in the Register claims that it’s cheaper to get hacked than build strong IT defenses. They suggest that on an actuarial basis if the total cost of a breach is less than deploying a sufficient security defense, it probably doesn’t pay to build those defenses.

Fight Club fans will remember Edward Norton’s chilling depiction of the auto industry in which he played an accident investigator for a major car company. In one scene, he was discussing their policy with the person seated next to him on a plane, and told her that if the cost of a car recall is more than the total cost of out of court settlements from accidents, injuries, and deaths; they don’t do a recall.

For anybody doubting the real potential risk of not implementing sound cyber security defenses, one only needs to look back to the Code Spaces breach in which most of their data, backups, machine configurations and offsite backups were either partially or completely deleted. This left the company with no choice but to close its operations overnight and apologize to their customers whose hard developed code was gone forever. Take that Tyler Durden.

So what can the Yahoo! breach teach us? What do we learn by looking back at the train wreck of underestimated breaches growing by the day and in consideration of the death of Code Spaces? The lesson would seem to be, that as opposed to Iain Thomson’s questionable perspective in The Register mentioned above, major companies are likely best advised to look beyond cold, actuary calculations. For if that’s all your looking at, you just may be missing something.  The unforeseen consequences of not properly securing your network and protecting your company and customer’s valuable information can lead to a very damaging event, and this is made clear with the Yahoo! breach.

One last thought, if you’re like most people and reuse passwords across multiple accounts and have a Yahoo! account, we’d recommend changing your password now. See this post for some good password etiquette.