In what experts are calling the largest data breach in history, Yahoo recently announced that at least 500 million user accounts were breached, with names, e-mail addresses, passwords, and phone numbers stolen in an attack by what it claims was a “state-sponsored actor.”
The breach is bad news for board members, and not just those consulting Verizon amid that company’s planned $4.8 billion acquisition of the once-popular Web portal. Despite the gravity and likelihood of cyber-attacks, new research suggests that directors still rely on free e-mail service providers (ESPs) for both personal and corporate communications.
The warning comes from Diligent, a provider of secure communication and collaboration platforms for executives and board members (it serves 145,000 of the latter). With a survey of Fortune 1000 companies, it found that more than 30 percent of U.S. board members are using a free ESP to communicate. “This practice, especially in the wake of such a massive breach, rings a bell to executives and corporations to be on high alert and revisit security practices,” says Diligent’s CEO Brian Stafford.
The most popular e-mail platforms included Google (44 percent), AOL (17 percent), Yahoo (9 percent), and Comcast (7 percent). Twenty-three percent used other services.
Stafford fears that the Yahoo breach could impact more than average consumers and start involving company confidential information. “Some of the most sensitive information that a company has is what gets sent to the board,” he says. “‘We’re changing out the CEO. We are going to have layoffs. Should we acquire Company X?’”
Board members pose a unique problem. “They are given the most secure information a company has, yet they actually sit outside the firewall,” Stafford says. “Many board members are retired and are on a free e-mail provider for their primary communication.”
While that use of non-company e-mail once made sense, at least in terms of convenience, those communications have become increasingly sensitive as board duties expand and evolve. “There are compliance challenges, governance needs, and expectations for knowing the details for how your company is performing,” Stafford says. “They all require communication that extends beyond a board meeting four times a year.”
Setting aside the Yahoo breach for the moment, other e-mail services can threaten confidentiality. “It is well known that Google scans e-mails to target advertising,” Stafford says. “Are you going to get a headhunter ad? I think people, more and more, will realize the potential exposure from being on these free e-mail services.”
“Even people in places of leadership and decision making in this space, those who preach it on a daily basis, are making that same error. In the choice between security and accessibility, what path are you going to take?”
Austin Berglas, Senior Managing Director, K2 Intelligence
Beyond their selection of an e-mail provider, directors may unknowingly engage in other risky behaviors. Even password-protected PDF files, for example, can be easily cracked if they fall into the wrong hands.
“The reality is that a lot of board members still have their assistants forward documents to the concierge at the hotel they are staying at and have that document printed for them and brought to their room,” Stafford says. “Who knows if they printed two copies, not one, or if there is a copy left sitting in the business center?”
When someone uses a personal or Web-based e-mail account, it is outside of the IT department’s control, worries Austin Berglas, senior managing director and head of the cyber-defense practice for K2 Intelligence.
The text below from author Joe Mont includes an excerpt from a letter to SEC Chair Mary Jo White from Senator Mark Warner regrding the Yahoo matter.
Another Yahoo-related development boards and executives will want to pay close attention to is whether the company becomes a poster child for breach disclosure demands by the Securities and Exchange Commission.
Sen. Mark Warner (D-Va.), cofounder of the bipartisan Senate Cyber-Security Caucus, has sent a letter to SEC, calling upon the agency to investigate whether Yahoo fulfilled its obligations under federal securities laws to keep the public and investors informed about the nature of a security breach that has affected more than 500 million accounts. He also wants the Commission to explain why, in his view, so few events are disclosed.
While Yahoo announced last week that it suffered a major breach in 2014, press reports seem to indicate the company may have been aware of the hack as early as July of this year, Warner says. Under federal law, public companies are required to disclose material events to shareholders within four business days.
The full text of the letter to SEC Chair Mary Jo White is below:
Dear Chair White:
I write to you about important federal securities matters pertaining to the Yahoo breach that may have affected 500 million accounts, and the associated lack of disclosure by the company to the public.
Last week, it was reported that Yahoo suffered a major breach in 2014, compromising more than 500 million accounts. Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year. Despite the historic scale of the breach, however, the company failed to file a Form 8-K disclosing the breach to the public.
Furthermore, Yahoo has been engaged in an effort to sell its Internet business, including the unit affected by the breach, to Verizon since at least July 25, 2016, yet Yahoo reportedly did not inform Verizon of the breach until September 20, 2016. More puzzlingly, the company noted in a proxy statement as recently as September 9, 2016 that, “To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, security breaches, unauthorized access or unauthorized use of any of seller’s or the business subsidiaries’ information technology systems.”
Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about via Form 8-K within four business days. Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications. A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event.
Additionally, Yahoo’s September filing, asserting lack of knowledge of security incidents involving its IT systems, creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.
I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems.
Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature. I would also appreciate answers to the following questions:
What steps are you taking to ensure investors are receiving timely and accurate information in compliance with federal securities laws with respect to cyber-security?
What is your plan to address what appear to be deficiencies in disclosure with respect to cyber events?
Source: Sen. Mark Warner
“No longer are they subject to regular back-up and archiving, governance, security, and whatever else the company has in place,” he says. “You are basically on your own. A company may have installed two-factor authentication on e-mail when you log into your VPN, but if you are using a Web-based e-mail like a Yahoo or Hotmail you are not forced to do that. If companies allow executives or employees to e-mail proprietary information to their personal e-mail accounts, that is, basically, data leakage. If you are allowing that to happen, you are immediately losing control over your data.”
Using e-mail as de facto cloud storage, or using a personal cloud service like Box or Dropbox, also poses risks and complications. “What happens if that individual sends corporate information to his global drive or uploads it to Dropbox and doesn’t have the proper password or two-factor authentication in place? You will not have the ability to track that data,” Berglas says. “If that employee, board member, or executive leaves the company, you have no way of containing the data that individual has taken. These are big, big problems.”
Problems can easily spread like wildfire. Because an executive or board member is a trusted figure within the organization, employees are more likely to open e-mails from them, even if they might seem unusual or suspicious. Once breached, those e-mails can use malware to gain further access within the organization. “Now your entire network is compromised,” Berglas warns. Hackers can also test stolen passwords to see if they are someone’s used for other personal and corporate data. “There are many vectors to get in,” he says.
To underscore the problem, Berglas offers a reminder that even John Brennan, former director of the U.S. Central Intelligence Agency, had sensitive information breached through his personal AOL account.
“Even people in places of leadership and decision making in this space, those who preach it on a daily basis, are making that same error,” he says. “In the choice between security and accessibility, what path are you going to take?”
Much is made in compliance circles about tone at the top. The notion that executives and directors should be the first to follow rules, practices, and protocols established for employees is especially true when it comes to cyber-security. “Actions speak louder than words,” Berglas says. “Everyone from senior executives to mid-management needs to set an example. There are layers of security and steps that need to be taken to protect information. The problem is that, oftentimes, the folks at the top of that food chain who have the most access inside the organization don’t adhere to the policies they are approving.”
Technology alone won’t secure a company’s assets; there needs to be a culture change, says Harriet Pearson, a partner with law firm Hogan Lovells and an internationally recognized corporate data privacy and cyber-security pioneer.
“It is a culture change,” she says. “Just as we saw awareness and sophistication increase in the areas of Sarbanes-Oxley compliance and Foreign Corrupt Practices Act compliance, so too are we coming up the curve with respect to security-aware and security-conscious behaviors that need to be in the C-suite. There are some basic things, blocking and tackling and important lead-by-behavior examples, that everyone in leadership roles should be held accountable for.”
The Yahoo breach, beyond e-mail, poses another concern for boards to be attentive to: liability.
Post-breach notification lawsuits are already being filed in Federal District Court in San Jose, accusing Yahoo of gross negligence. The lawsuits should further fuel cyber-security efforts, says Tim Erlin, senior director of IT security and risk strategy for Tripwire, a software company that offers security and compliance automation products.
“Financial loss is absolutely a motivator for organizations to implement stronger security controls,” he says. “A successful civil suit, with material damages, will cause other organizations to take notice and work to avoid the same culpability.”