Lessons Learned from Yahoo breach for Small Businesses
How the hack began
According to FBI news, the hack began with a straight forward spear-phishing scam. It took only one employee to click on a scam link and the cybercriminal has access to Yahoo’s system. The criminal then search Yahoo’s network to locate the email database and related account management tool. The criminal then created a back door to Yahoo’s system. The hacker later transferred the database and account management tool to his computer. The initial cybercriminal and his 3 partners then mined the data. The Justice Department indictment claimed the attackers used data from the stolen database to then attack a smaller, targeted audience.
How the breach impacted victims
The stolen Yahoo information provided the criminals with victims’ personal identification information and passwords. With the reuse of passwords by many people on multiple online sites, the criminals were able to access other accounts owned by the victims. Even backup email addresses (provided for customer reference if the customer forgets his password) was helpful to criminals because the hackers were able to sometimes identify places of employment from the company’s name in the email address.
The 47 counts of indictment claimed that the cybercriminals used the stolen information in multiple ways, including stealing credit card details and sending spam in the contact names of the victims.
The breach not only impacted hundreds of millions Yahoo users by forcing password changes, it had hard dollar impacts and jeopardized other networks.
Innocent people can cause a data breach that has wide repercussions. Employees need to truly understand the impact of opening phishing emails. Businesses need to ensure their employees have strong training on how to identify phishing scams and what to do if they receive a phishing email.
Businesses are vulnerable if they do not have safeguards in place to monitor the intrusion of their network and the export of large amounts of data. Alert systems are needed to watch for mass data movement.
Companies can encourage employees to open a second personal email account to use as their backup email. Businesses should stress the importance of employees not using their business email address for anything other than business purposes. In addition to the dozens of well-known email providers, there are a number of free email services that are less common such as Proton Mail.
Executives can also be heavily impacted by not taking strong action on a breach. An internal investigation by the Yahoo board found some executives knew about the breach but the board found the executives “failed to properly comprehend or investigate” the breach. The CEO, Marissa Mayer, lost her 2016 bonus and 2017 stock compensation. The top lawyer, Ronald Bell, resigned over the issue.
The pending deal with Verizon was renegotiation and lower by $350million, impacted Yahoo shareholders.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.