The lesson is clear: Early disclosure of a data breach is better. Lawsuits filed after the breaches have cost companies millions in settlement costs, not to mention legal fees and lost business. That’s true even for corporations whose data breaches resulted in the compromise of customers’ credit card information, such as Target in 2013 and Home Depot in 2014. Tech companies can typically recover quickly from data breaches – if they respond fast and take the necessary steps to notify their users. That effort failed because many states, which have varying requirements, have stricter standards that the federal law would have overruled. In 2015, Democrats proposed giving firms 30 days from discovering a hack to announcing it had happened. Once a company has learned it has been hacked, it’s important to tell customers – and the public – so that people can take proper measures to protect their information, privacy and identities.Īt present there is no federal law regarding when companies must tell the public about information security breaches. Nontechnical reasons that Yahoo took so long to discover the hack could include frequent changes in leadership of its security team and the companywide stress of finding a buyer. In addition, anyone on the internet can claim anything they want – companies have to investigate their systems to find out whether someone who is advertising they have login information for sale actually took anything, or is just making it up to cause trouble. That may suggest the attack was more sophisticated, and therefore harder to detect – but it’s impossible to know if that’s true, because the company has declined to offer details of how the breach was achieved. The company has said it believes the attack was conducted by a national government, though it hasn’t said from what country. As a major internet company with an extremely large user base, it’s reasonable to expect Yahoo might detect – and disclose – breaches much sooner than other firms. That includes all sizes of companies in all types of business. According to a recent report from network security firm FireEye, in 2015 the median amount of time an organization’s network was compromised before the breach was discovered was 146 days. And Verizon said publicly that it had heard about the breach only two days before Yahoo announced it to the world.Īll those events, of course, were years after the breach had actually happened.
financial regulators saying it didn’t know of any claims of “unauthorized access” that might have an effect on its pending sale to Verizon. A news article published on August 1 quoted a company spokesperson saying Yahoo was “aware” a hacker was selling login details for 200 million Yahoo accounts in an online black market.īut more than a month later, the company filed a document with U.S. It’s not yet clear when Yahoo learned about its attack, though in this case the timing is questionable.
0 kommentar(er)
