The Hidden Costs of Acquisition: Verizon, Yahoo, and the Multi-Billion Dollar Cybersecurity Oversight

yahoo

 

Sitting in the dubious position of the largest ever cybersecurity breach (to date) by number of records stolen is the Yahoo breach during which 3bn users were impacted, and which was discovered during the finalization of a major acquisition by Verizon.

In the evolving landscape of cybersecurity, the Yahoo-Verizon acquisition serves as a sobering case study. It illustrates the pitfalls of due diligence failures, and the far-reaching consequences a single breach can have on both the acquired and the acquiring company.

 

Timeline

The Breach Itself

Yahoo’s 2014 breach was the result of a spear-phishing email sent to a Yahoo employee. Despite its seemingly innocuous appearance, the email contained a link that installed malware on Yahoo’s internal systems. This granted the hackers access to the company’s user database. It wasn’t just usernames and passwords that were stolen; personal information such as dates of birth and security questions were also compromised. The breach went undetected for almost two years, pointing to a lack of effective monitoring systems and vulnerability assessments on Yahoo’s part.

The acquisition

The initial groundwork for Verizon’s acquisition of Yahoo started in July 2016, with the agreed deal standing at USD$4.83 billion. Just a couple of months later, after the contract was signed, but during the ‘settlement’ period, Yahoo announced that it had suffered a data breach in 2014 affecting 500 million user accounts. This was followed by a separate revelation in December 2016, that they had suffered an even larger  breach, affecting a staggering 1 billion user accounts in a 2013 breach.

 

What happened next

Upon learning of the breaches, Verizon immediately sought to negotiate a $350 million reduction in the acquisition price.

Post-acquisition, Verizon made concerted efforts to integrate Yahoo’s assets into its existing security framework and performed a comprehensive security audit to identify and remedy any lingering vulnerabilities.

They also sought indemnification clauses that would protect Verizon from future cybersecurity liabilities arising from Yahoo’s past. They also sought to ‘leave behind’ the Yahoo company entity that they believed would be the primary responsible company body to avoid inheriting its liability for the breach.

These legal maneuvers were aimed at mitigating the financial and reputational risks Verizon had absorbed.

Ultimately, the purchase was finalized in June 2017 at a reduced price of $4.48 billion.

Financial Implications for Verizon and Yahoo

The immediate financial ramification for Yahoo was the reduction of the acquisition price by $350 million, not to mention the extensive legal costs incurred to renegotiate a deal that had already closed.

For Verizon, the acquisition still made strategic sense despite the added security liabilities and related costs. However, the lingering doubt about Yahoo’s security had an intangible impact on Verizon’s brand reputation, an effect that is hard to quantify but significant nonetheless.

In April 2018, Yahoo, now a part of Verizon subsidiary Oath Inc. agreed to pay USD$35 million in fines to the U.S. Securities and Exchange Commission (SEC) for failing to disclose the 2014 breach to investors. The SEC highlighted that Yahoo knew about the breach within days but failed to disclose it publicly, or to its investors, for almost two years.

In addition to the SEC fine, Yahoo also faced class-action lawsuits from affected users. In 2019, Yahoo proposed a $117.5 million settlement for the multiple class-action lawsuits related to the data breaches. Though initially lower, the amount was increased after the original settlement proposal was rejected by a U.S. District Judge for being too low.

The internal costs incurred by both entities for forensic analysis, enhanced security measures, legal consultations, and public relations efforts to mitigate damage to Yahoo’s reputation are not publicly known.

 

If they had their time again…

Although the acquisition process traditionally involves in-depth vetting and due diligence, it does not traditionally look at cybersecurity risk in detail.

Verizon did engage in due diligence activities prior to finalizing its acquisition of Yahoo, but the extent and effectiveness of this scrutiny, particularly concerning Yahoo’s cybersecurity posture, have been subjects of discussion and critique. The due diligence process generally involves a comprehensive review of financial, legal, and operational aspects of the company being acquired, including its cybersecurity measures. In the case of Yahoo and Verizon, however, it appears that either the due diligence process did not delve deep enough into cybersecurity concerns, or the existing issues were not adequately identified or flagged as significant risks.

Industry best practices, such as penetration testing, vulnerability assessments, and extensive third-party audits, were either not conducted or not done rigorously. Had these activities been carried out meticulously, they would have likely revealed Yahoo’s compromised security landscape.

The purchase agreement (before it was renegotiated) also did not explicitly set out the rights and obligations concerning cybersecurity risks, leaving Verizon vulnerable to inheriting Yahoo’s security liabilities.

Skills

Posted on

2023-10-07