Yahoo has announced that every customer account that existed at the time of the 2013 data breach was compromised; the new figure marks a three-fold increase over the estimate it disclosed previously. The disclosure comes four months after Verizon acquired Yahoo’s core internet assets for $4.48 billion, which was already reduced thanks to the breach. IT security experts commented below.
Stephen Moore, Chief Security Strategist at Exabeam:
,
.
Rich Campagna, CEO at Bitglass:
It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm.
When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition. This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business.”
Carl Wright, CRO at AttackIQ:
.
Willy Leichter, VP of Marketing at Virsec Systems:
.
.
Lisa Baergen, Director of Marketing at NuData Security:
- Anyone transacting online needs to know that they *can’t* determine consumer identity solely based on previously confidential consumer data and outdated authentication processes. Javelin Research notes: “Identity proofing — must be tailored to the risks inherent in the channel, market, product type, scenario, and threat environment. In the complex financial ecosystem of 2017, a bifurcated model of identity verification and authentication fails to meet the needs of accountholders or financial institutions. Accordingly, a much more holistic approach is needed to take into account a richer array of context around the identity and behavior of the consumer.”
- Stolen credentials are big business on the dark web, and with over ten billion data records lost or stolen since 2013, criminals have a tremendous amount of consumer data to work with – some of it is very likely yours.
- Given that the average employee or consumer is very likely to reuse their same usernames and passwords across many sites, maybe it’s time to mandate policies that prohibit them from using their work addresses as secondary email addresses for verification purposes? This practice substantially expands the organization’s susceptibility to and likelihood of a phishing attack.
- Authentication that moves beyond simple logins and passwords can’t introduce new friction to interactions, because a significant percentage of customers probably won’t use it. Javelin Research: “Assessing device input behavior can create insights into digital channel fraud, but provider adoption lags. Specifically looking for unique patterns of interaction with input devices, e.g. keyboard, mouse, or touchscreen, behaviometrics can assess everything from suspicious velocity — attempting multiple applications within minutes — to aberrant navigation patterns within an online banking portal, yet the capability is only supported by 41% of ID proofing platforms.”
- Phishing – one of the oldest tricks in the fraudster’s playbook – still works. In fact, with social data and compromised credentials, it works remarkably well. If your policies and training practices aren’t up to par, you’re only inviting needless risk. Many phishing campaigns are so personalized that they have a successful open rate as high as 30%. So it’s not a question of if, but when. Are your employees up to the challenge?
“The fact is that until the organizations that hold our data adopt a tighter layered approach including passive biometric authentication, the impacts of mega breaches will continue to tear at our financial systems and consumer confidence.”
Sam Curry, CSO at Cybereason:
“The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate. This is effectively compounding the three real issues behind the Equifax breach. Today, everyone should have been working under the assumption that they were affected years ago but may need reminding to watch their identities and credit for abuse.”
Jeremiah Grossman, Chief of Security Strategy at SentinelOne: