Verizon could reduce its offer to buy Yahoo by $1 Billion.
It has been a bad few weeks for Yahoo, which has been the subject of numerous headlines following two major security and privacy blunders.
First, Yahoo announced that more than 500 million user accounts had been compromised in the largest breach in history. Then it was discovered that Yahoo had been secretly scanning all of its users’ emails at the request of U.S. intelligence.
In July, Verizon made a deal to buy Yahoo for $4.83 billion. Now, the New York Post is reporting that Verizon is looking to reduce that figure by up to a billion dollars as a direct result of these incidents.
The security community has been in an uproar over Yahoo’s handling of a secret order from the U.S. government. The scanning was requested by a Foreign Intelligence Surveillance Court order, after evidence was found that “foreign terrorist organizations were communicating using Yahoo’s email service and with a method that involved a ‘highly unique’ identifier or signature, but the investigators did not know which specific email accounts those agents were using,” reported the New York Times.
According to reports, Yahoo intentionally hid this order and the email scanning from its internal security team; implementing it without their knowledge or consultation. Motherboard reported that the tool may not have even been written by Yahoo employees, meaning that Yahoo may have recklessly put 3rd party code into production without any security review and that it behaved “like a ‘rootkit’.”
Ironically, Yahoo’s security team discovered the scanning tool shortly after and reported it as a malware infection.
Per Motherboard, “when the head of security at the time, Alex Stamos, found out it was installed on purpose, he spoke with management; afterward, “somehow they covered it up and closed the issue fast enough that most of the [security] team didn’t find out,“ the source said.”
Yan Zhu, a former security engineer at Yahoo, was working on end-to-end encryption support for Yahoo Mail around the same time that this surveillance began. Yahoo never implemented any end-to-end encryption capabilities.
If Verizon’s deal does change as a result of these incidents it could be one of the first times that a privacy/security blunder has cost a company such a considerable amount.
Despite all the negative press that companies receive for security breaches and privacy violations, it rarely translates into real financial costs. An analysis performed last year showed that “actual expenses [related to breaches] reported by these companies amounted to less than 1% of each company’s annual revenues.”
Companies also aren’t seeing any real impact to their stock prices. Both Home Depot and Target had high-profile breaches, but the negative effect on their stock price was only temporary.
Many security advocates and security experts have expressed concern over how few consequences companies face over customer data breaches. The boilerplate response is usually an apology, a promise that security is a “top priority,” and free credit monitoring.
Verizon themselves have estimated that stolen customer records may only be worth 58 cents each. But even at that price, the scale of Yahoo’s massive blunders may still cost it quite a bit.