Cyber Insurance Cost Examples – Yahoo Data Breach

Yahoo provides one of the best examples of the enormity and severity of what can happen with a data breach. Although a few years old, Yahoo suffered three data breaches which were only reported two or three years after they happened.

Estimates of accounts breached ranged from 500 million through to every single one of the accounts. The information that was lost or accessed included names, email addresses, telephone numbers, dates of birth, passwords and sometimes encrypted security questions and answers.

Someone at Yahoo tried to make the point that at least no credit cards or credit card numbers were accessed, but that is in many ways fairly irrelevant.

The importance of the Yahoo breach focuses on several certain areas.

Firstly is the issue of when and how Yahoo reported the breach.

Any delay in letting people know that the information has been accessed by someone who should not have a right to it increases the chance of that information being used for any criminal purpose such as identity theft.

Tracing and reporting and trying to undertake identity theft is a hugely complex process. Anyone who has suffered it will tell of the enormous difficulties they face in trying to prove that they are not the person that someone else has said they are.

Identity Theft

Anyone trying to prove identity theft will find it difficult to prove where the other person got the information from, especially if it was two or three years previous.

Any company who experiences a data breach has a moral as well as normally a regulatory duty to disclose information to whoever has been affected by the breach as soon as possible. The danger is that any company is going to be afraid of the reputational damage at acknowledging such a breach is likely to cause.

This is one reason why most cyber insurance policies include some provision to pay for a PR company some description to help manage the fallout and restore some type of reputational credibility.

Even if a company such as Yahoo is taken to task by any regulatory authority for not disclosing a breach earlier,  in many ways the damage has already been done.

The other main issue that a data breach at companies such as Yahoo highlights, or perhaps the question it raises, is anyone safe. This question is almost the most important one that can be asked.

It is not about Yahoo’s technology systems or their cyber governance policies. It is about the fact that Yahoo is one of the oldest and was one of the most respected technology companies since the foundation of the Internet, and if they can be breached and hacked to this extent then presumably anyone can.

The breach at Yahoo is not about whether they have the most secure IT systems almost. It is almost more about the credibility of the Internet, and a sense of whether or not a technology company of its stature should be able to be breached, and if they are probably dealt with it.

Comments are closed.