Yahoo Sued For Gross Negligence Over Huge Hacking

Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.

Not good enough

When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. It doesn't solve the problem, either, because these are usually settles to the benefit of the lawyers. Instead, the executives and any managers who were behind this negligence need to spend some serious time in prison. Yes, that includes Marissa Mayer, who needs to be behind bars for the awful way her company handled the breach. I despise the Russian hackers, who deserve to be on the receiving end of vigilante justice. However, there also needs to be some lengthy jail sentences for plenty of people at Yahoo. It's also time that companies like Yahoo that do this have to pay serious restitution to everyone on the receiving end of such a breach, enough so to put the company out of business (that shouldn't be hard in Yahoo's case).

Re:Not good enough

[JaredOfEuropa]

I join you in your moral outrage, but... does the law (US law or otherwise) even have a provision for such negligence? Also, what is it we want to see punished? Lax security? That sounds fine until you realise every guy with a message board will be on the hook as well: not everyone is a security expert (or even a half decent webadmin), and certainly not everyone can afford to hire one.

What I certainly would like to see punished is the very very late disclosure of the breach. Starting this year, companies in the Netherlands are obliged to disclose data breaches. Fines for non compliance go up to €500k for simple cases; for more serious cases the fine is capped at 10% of net yearly turnover. It's a start... the law applies only if sensitive information was leaked such as names, dates of birth, addresses, medical info, etc. It doesn't cover username / password. Also, the company discloses the breach to the authorities, not their customers; the authorities may force the company to inform their customers as well though.

Re:Not good enough

"When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. "

Take a good look at the Lawyers involved...
They don't take on trivial cases.
They win.
They get huge settlements.

And don't think for a minute that "Ronald Schwartz" just waltzed into the Law Offices with a grudge. There will be other suits filed all over the country Very Soon Now, by other "Chosen" Plaintiffs, just to get this all rolled into one Big Hairy Juicy Class Action Law Suit. Possibly the biggest, ever.
Of course, even Lawyers have to eat, and this will take years, maybe a decade, unless Yahoo or whatever quickly stripped carcass of Yahoo is left, caves. But still, there is Big Money behind this. Just Whose is the question.

"I despise the Russian hackers, who deserve to be on the receiving end of vigilante justice."
I like the way that you phrased this, because the hands-off Wild West metaphor for the Internet has gone too far. When Law failed in the Wild West, Vigilance Committees formed and hung a few self-made bastards. (And note that subsequently, a few members of these Committees were hung themselves... These things do tend to get out of hand.)

"Yes, that includes Marissa Mayer, who needs to be behind bars for the awful way her company handled the breach"
The Wild West metaphor applies to Mayer as well. She should stop thinking about redesigning Logos, and start thinking about full-time heavily-armed Security for Herself, her Family, and her Associates, for the foreseeable future.

People, a lot of them, and this includes Stockholders, are getting very angry at Corporate America. Both Trump and Clinton are channeling this, which is actually dangerous for both of them given their past. That Corporate America has allied itself to the Criminal World, and I'm looking at you, ISPs and the entire Advertising Industry specifically, and Big Pharma, Big Finance, and the Entertainment Industry in general, means that there is little room any longer for subtleties; at some point something snaps, and it comes time to just simply hang them all, and then throw the Nations largest Block Party ever, and have some Barbeque.

Then again, I was never much good at Prophecy; if I was, I'd have a bigger Yacht...

Re:Not good enough

[MoarSauce123]

Worse even, If Yahoo is convicted and has to pay damages it will be less expensive than implementing proper safeguards. As long as breaches are cheaper than security not much will happen.

No trouble for the pending sale.

[williamyf]

Remember, yahoo is selling the CORE ASSETS, but Yahoo (the company) will still exist, as a placeholder for Alibaba and YAhoo! Japan shares. So, is Yahoo (the company) that is still liable for the breach, not verizon. If push comes to shove, Yahoo can sign a MoU stating that is it, and not Verizon, the one who will carry all the brunt of the hack (lawsuits, fines, reparations, costs and any other thing derived from this hack).

The alibaba, yahoo japan and any other assets in this company shall be enough to cover that.

Cheaper to get hacked than do security maintenance

[Neo-Rio-101]

Wasn't Slashdot only a number of articles ago talking about how much cheaper it is to get hacked than to deploy proper security and maintenance?

We've known this for ages....and I learnt about it the hard way years ago as a webmaster.

In my junior sysadmin pre-ITIL cowboy days, I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - which were reliant on some old broken and unmaintained code. The website owners then complained and whined to our company that we threatened their businesses. (Fortunately they only made peanuts to our bottom-line, so luckily we didn't care that much)

Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.

Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.

Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.

That's how security patching works in the real world. In other words, it doesn't.

The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive.
That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job and their pensions while saying that they kept costs down when things eventually go to pot.

So in this Yahoo case, someone finally has to guts to call Yahoo out on it.

Re:Cheaper to get hacked than do security maintena

[h33t+l4x0r]

It's not about that. The initial hack could have been anything from a 0day to a 5 year old exploit - you don't know and that's not the issue anyway. The issue is that they didn't tell anybody about it for 2 years. Users need to know that their passwords are compromised because they often will (for example) use the same password for online banking.

Seems fair

[melting_clock]

Gross negligence is accurate enough when a company allows data on 500 million customers to be hacked and then fails to notify those customers for 2 years. Choosing to keep this from customers achieves little more than proving the company cannot be trusted. This should have been handled better.

Fixing the problems, then disclosing the breach and taking immediate action to protect customers would be the action of a responsible and trustworthy company.

This is going to cost them customers and reduce the value of the company. Not an ideal situation for anyone about to buy it...

Re:Cheaper to get hacked than do security maintena

[JaredOfEuropa]

pre-ITIL cowboy days

Are things a lot better post-ITIL? In my experience ITIL has made things a lot more predicable... most often predictably awful. Not that I blame ITIL for that; that's like blaming your hammer for the shoddy birdhouse you built. It's more like a crutch: people think "if we all do what it says in this book, we'll do better". In terms of business outcomes I have not found that to be true very often.

Re:Cheaper to get hacked than do security maintena

[Zedrick]

> Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than
> to do any proactive security maintenance. This works in a number of ways.

Uh, that's not the right lesson to draw from this. If customers gets hacked because they are running out of date CMSes, it's their fault. It's also their fault if it's not working because they have outdated crap that's incompatible with modern php-versions. But if you neglected to update php, and the customers gets hacked because of that, it's your fault. You might be able to talk your way out of it in some cases by pointing out that (this kind of) hacking is bad, but if the customer is a company or a person who cares, they will demand to know exactly how this could happen. Having a logfile that shows them exactly what exploit in their outdated CMS or plugin or theme was used is very satisfying.

I see this in every major php release. The answer to customers who complain is "too bad, update your old outdated Joomla 1.5.x/WP 3.5.x-crap. Or if you don't want to do that, good luck finding a reliable host that still has php 5.eol".

Par for the course for Ms. Mayer

[OneHundredAndTen]

She is a perfect example of an individual who owes everything to timing - she happened to be at the right place, at the right time. She is pretty useless.