Slashdot Mirror
UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach (theregister.co.uk)
An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.
In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.
In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.
Does Yahoo even have that kind of money anymore?
LOL - you limey bastards are just and uneducated and racist as the colonies across the pond. Although at least Teresa May isn't a stone cold traitor like Moscow Donald.
... per incident.
That's the damages? Seriously?
It little behooves the best of us to comment on the rest of us.
But what about all the other users?
-- Tigger warning: This post may contain tiggers! --
Having some experience with large-corporation implementation of security mechanisms, I would guess this fine is at the very least 10x cheaper than what implementation of actual security would have cost. May as well be 100x or even 1000x. As long as this is the utterly pathetic and laughable reaction to a massive data breach caused by extremely bad security, nothing will change.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Based on the higher end you suggested, I wonder if you've looked at some of the newer security solutions that have come out in the last few years. As certain types of security solutions have been scaled, companies like Alert Logic now offer solutions at perhaps 1% of what similar things would have cost a few years ago.
I've got a bridge to sell you if you were stupid enough to use a free service AND expect perfect security.
The higher end is for full custom, because nothing that fits is on the market. Also, remember Yahoo's size.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If this had happened after GDPR you'd be well and truly fucked.
We have several Fortune 50 customers, companies as big as Yahoo or bigger. Most of their security needs aren't that special. Securing a database isn't much different whether it has a 1,000 records or 100 million records. All the companies have their corporate email system, VPN, etc, that all need pretty much the same security treatment. The custom part is identifying the critical assets, a topic I shall return to shortly.
Several years ago, I owned a security company which specialized in serving VERY small web companies, 20 employees or fewer. For $250 we'd go through a checklist of basic, important things like making sure passwords were stored as a salted hash, not plaintext. If we found you were not using salted SHA-1 or better*, we had a simple solution. We had a little module that integrated with most popular software to use strong encryption. The cost was $35. To instead add our password hash function to your custom-written software, the cost would be closer to $70. We also had code to convert old, unsalted hashes to salted, or weak hashes to strong.** Another $35 for that.
That $250 checklist certainly didn't cover everything a company like Yahoo should do! It DID, however, cover "does your database use strong salted hashes for passwords?". It would have identified the problem that took down Yahoo, for $250. The cost to look at the password column was the same whether there are 200 users or 2 million users - either way we're just checking to see how the passwords are stored, which is generally going to be the same for all users. After $250 to find the problem with the most basic of security checks, our standard book rate to fix the problem Yahoo had, in the "deluxe", most expensive way, was $105. So $355 total to find and fix that most obvious problem. Of course since it's Yahoo and they would probably have a lot of bureaucracy to deal with maybe we'd charge them ten times as much, $3,550.
I'm totally serious, that's one of the 40 or so items we checked, for $250. Any of the 250,000 mom & mom web sites displaying "Security by Strongbox (tm)" has taken care of that, so they don't have the major, obvious security problem that was the Yahoo debacle.
* We'd now use something stronger.
** You might think it's impossible to convert salted MD5 hashes to SHA-256. I'll be impressed if you figure out the trick I used to do it.
Thinking about Yahoo's cost for security, vs fines and penalities, this fine is UK only. They had at least an $80 million class action settlement and $35 million fine in the US, and probably other penalties that I don't know offhand, then this $350K or whatever additional for the UK. If UK is fining them, I imagine other countries may as well. So the size of Yahoo as a whole shouldn't be compared to this one small part of the fines. The comparison would be:
I'd they had spent $115 million (or whatever) on securing their operations generally, which are based in the US, how much EXTRA would securing their UK operations cost?
Most of their security needs would be served just fine by off-the-shelf solutions. Their Active Directory server needs to be secured the same way every other company needs to secure their Active Directory. Nothing special about Yahoo's VPN for travelling workers, it's a standard set of Cisco ASAs just like every other company. They need to turn off TLS 1.0 just like everyone else. They need to install the same OS security updates on all their servers and workstations just like everyone else. Whether their database has 40 million records or 4,000 records, the cost to check the security of the database server and the schema isn't much different. (We just have to check that all the servers in the cluster have the same configuration)..We have software that checks all these things. Given scale, it costs pennies per asset to scan them. My current company checks for over 100,000 different vulnerabilities, and a company with operations the size of Yahoo would cost a few thousand per month, if that much. (If you look at Yahoo's market c
I do not dispute that where it can be done, a generic approach may be entirely appropriate. But there are IT landscapes were that is not possible and you need to go full custom at least in part. My estimate was for them and it does include costs on the customer side, not just what they pay to an external party.
As to salted MD5 to SHA-256, that is actually pretty simple in practice: If you need the protection now, you put both on top of each other, i.e. SHA-256(salt_new, MD5(salt, pwd)). The first time a customer logs in and you actually (temporarily) have the password, you strip out the MD5 layer. This is just a quick&dirty approach, better ones may exist and there may be specific constraints from the customer that require a modified or different approach.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A sub billion fine on a case like this is insulting, useless, and only incentivizes other companies to follow similar non-existant security practices.
Lets remember this wasn't only a small leak, but one of the biggest multiple leaks where the company purposedly hid for years the whole thing, allowed for it to happen multiple times over, and was unapologetic the entire time.
Yahoo can not be fined for stupidity.right from day one this was USA hacker paradise. ,,get in big trouble if caught some people do not care normally under age kids
Boys with all the toys to flatten Yahoo servers
Its still possible these days to walk up to a computer a flatten a website server in less than one minute
.
>you need to go full custom at least in part.
Huh? What does that even mean?
One Meeeelllion dollars!
That's cool you saw right away (or knew) *both* ways to convert. When I pose that question, a couple of people have thought of sha(md5(P)), but everyone insists it's impossible to actually convert md5(P) to sha(P). The more they know about cryptography, the more certain they are that it's impossible.
That's the thing about security - just because something is mathematically impossible doesn't mean we can't do it, or an attacker can't do it. Heat death of the universe blah blah, a well-worded phone call beats fundamental physics most of the time.
$334k is about the current value of Yahoo! Wonder if Verizon has buyer's remorse yet?
Organization? You must be joking..