(FILES) This file photo taken on May 23, 2014 shows a sign in front of the Yahoo! headquarters in Sunnyvale.
Yahoo said September 22, 2016 a massive attack on its network in 2014 accessed data from at least 500 million users and may have been “state sponsored.” “Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen,” a statement from the US Internet giant. / AFP PHOTO / GETTY IMAGES NORTH AMERICA / JUSTIN SULLIVAN
The second major hack of Yahoo! Inc. user accounts is unlikely to derail Verizon Communications Inc.’s $4.83 billion acquisition of the tech giant, with investors and the public becoming inured to near-daily disclosures of cyberattacks.
Hundreds of U.S. companies fall prey to hackers every year and, in many cases, the data breaches neither hurt bottom lines nor scare away customers for too long. After initial anxieties ease, everyone generally moves on. Experts say the same holds true for Yahoo and Verizon.
“I tend to not feel like these hacks are that big of a deal in the broader scheme of things,” said Michael Mahoney, senior managing director at Falcon Point Capital, which invests in wireless companies. “Obviously they can be damaging. But it doesn’t take too long before people forget about it.”
In the U.S. especially, data breaches continue to mount. Within the past few years, hackers have infiltrated Sony Corp., Target Corp., Home Depot Inc., JPMorgan Chase & Co., auction site EBay Inc. and health insurer Anthem Inc. Almost 1,000 data breaches, including Yahoo’s, occurred in the U.S. just this year, according to the Identity Theft Resource Center. And in all, more than 35 million critical personal records, including social security and passport numbers and medical and banking data, were exposed in 2016.
But Yahoo’s is one of the largest-scale data breaches reported to date. The Sunnyvale, California-based company said that cyber-thieves in 2013 siphoned information from more than 1 billion Yahoo accounts, including users’ e-mail addresses, scrambled account passwords and dates of birth, data that allow criminals to go after more sensitive personal information elsewhere online. It was the second disclosure of a major data breach since Verizon agreed to buy Yahoo. In September, the tech company revealed that more than 500 million users’ data had been hacked in a separate, state-sponsored attack in 2014.
“There are many breaches with many entities that have these types of breaches occurring,” said Eva Casey Velasquez, chief executive officer of the Identity Theft Resource Center.
Since Target’s data breach in 2013, public sentiment has shifted, Velasquez said. “People know what a data breach is. But because it did become so ubiquitous in our conversation, there’s a little bit of apathy.”
And not all breaches are created equal, said Emily Mossburg, a principal at cyber-risk services practice at Deloitte & Touche LLP. Stolen names and account information don’t necessarily have a “broader impact.”
Costs of data breaches have been substantial but not devastating. Target and Home Depot estimated that their data breaches resulted in about $200 million each in expenses not covered by insurance. Those are minimal amounts for big companies their size.
And depending on the type of hack and the data stolen, Yahoo’s legal liability may be negligible. Benjamin Dean, president of Iconoclast Tech, a data-security consultant, said Yahoo is unlikely to incur large losses as a result of recent class-action lawsuits.
“The track record for successful class actions relating to stolen non-payment card data isn’t good,” Dean said. “Those bringing the class action typically have to show material damage due to the data lost in a breach — and this has proven difficult to show or prove.”
Still, Yahoo’s costs may be higher simply because of the magnitude of the breach, and may even lead to a loss of users or advertisers. Larry Ponemon, founder of the Ponemon Institute, a think-tank focused on data security, believes Yahoo’s costs — plus opportunities lost — could be $2 to $3 per customer record, and shave $1 billion from the price Verizon pays.
“The timing couldn’t be worse for Yahoo,” he said.
Verizon may be able to negotiate Yahoo’s purchase price down by 5 percent to 10 percent, said Mahoney of Falcon Point, who doesn’t hold shares of either company. Yahoo’s shares are down 5.5 percent since the close Dec. 14, when the company announced the second breach.
Verizon has been buying internet and media companies to drive growth beyond its maturing wireless business by selling advertising. The company purchased Yahoo in part for traffic to its websites like Yahoo Finance, and that traffic is unlikely to decline because of the breach. According to Alexa Internet, which tracks web viewing, Yahoo fell to the No. 6 most-popular property globally in early December, before the magnitude of the latest breach was revealed, and has held its rank since then. If Yahoo’s numbers remain steady, Verizon should still buy the company, according Roger Entner, an analyst at Recon Analytics LLC.
“Yahoo has a brand that’s pretty good in the marketplace,” added Mahoney, of Falcon Point Capital. Verizon “will certainly” use the breach as leverage to try to reduce the deal’s price, “but I doubt that it changes the strategic rationale for why they want to buy Yahoo,” he said.
Yahoo said it’s confident in the company’s value and continues to work toward integration with Verizon. Jim Gerace, a spokesman for Verizon, said the company will continue to evaluate the situation before making any final decisions.
Powered by WPeMatico