Latest data breach could scupper Verizon takeover of Yahoo

16 Dec 2016

A Verizon building in New York. Image: DayOwl/Shutterstock

A second data breach at Yahoo that saw 1bn users’ details stolen by hackers has prompted Verizon to seek a price cut on its $4.8bn acquisition of Yahoo, or it may walk away altogether.

This week, Yahoo disclosed that 1bn users’ details had been stolen in 2013 by hackers using forged cookies to gain access to Yahoo’s proprietary code. These users include 150,000 US government employees.

Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Future Human

This is on top of the 500m users’ details that it revealed had also been stolen by hackers in 2014.

The timing of the disclosures is troubling for Yahoo, which is in the midst of a $4.8bn takeover by Verizon.

Data breach fallout: Verizon may seek price cut on Yahoo or exit deal

Now it has emerged that Verizon may be getting cold feet and is exploring a price cut, or possible exit, from the deal.

Bloomberg reported that a Verizon group led by AOL chief executive Tim Armstrong is focused on integration planning around Yahoo.

But a separate legal team that is walled off from the integration team is reviewing the breach disclosures.

The legal team is led by Verizon general counsel Craig Silliman, and it is focused on assessing the damage from the breaches and avoiding any future legal fallout.

The disclosure of the breaches saw Yahoo shares fall by as much as 6.5pc yesterday (15 December) to $38.25.

Ireland’s Data Protection Commissioner is understood to be urgently examining the latest Yahoo breach as the company has key European offices in Dublin. It is also examining the 2014 breach disclosed in September.

“We are urgently examining the facts that have been made available to us in order to ascertain the further investigative questions we need to pose and steps to be taken, in order to ultimately conclude if European data protection laws have been breached,” the Data Protection Commissioner said in a statement.

“Yahoo EMEA is the Irish-based data controller for all European-based users of the Yahoo services, and has obligations under Irish data protection laws to ensure any processor to which it transfers personal data (in this case to Yahoo Inc) provides sufficient guarantees in respect of the technical security measures governing the processing.”

A Verizon building in New York. Image: DayOwl/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years