Trust is the foundation of businesses. People trust that businesses know what they’re doing. They trust that businesses will respect their opinions. They trust that businesses can deliver what they promised. In the 21st century, with the advent of e-commerce and online profiles, people now trust businesses to keep their private information safe.
But sometimes, even though companies sweep their software for weaknesses and run networks through automated performance tests, they fail to account for one of the most dangerous errors of all: human errors. One person’s mistake can break the trust of a lot of people. In 2013, web service provider Yahoo broke the trust of billions of people.
How the Heist Happened
Two Latvian hackers spearheaded the world’s worst cybersecurity breach. Russian agents employed them to hack Yahoo’s user database and the software that the company used to edit and manage it. To pull off this heist, the Latvian hackers sent e-mails to specific Yahoo employees. The e-mails contained a link that would give the hackers access to Yahoo’s network. They also disguised their e-mails to make them seem legitimate. Cybersecurity experts call this practice spear phishing, and it only needs to fool one employee for it to work, one person to click the link and blow the metaphorical vault wide open.
And one Yahoo employee did. In one click, the Latvian hackers had complete access to the company’s network. They found the user database and the management tool. The hackers kept their access to Yahoo’s network by installing a backdoor. As a further precaution, the hackers downloaded a copy of the entire user database into a computer. With complete access to the information stored in the user database, the hackers managed to locate and maintain access to the accounts their Russian handlers wanted.
Yahoo did not release the full scope of the attack for three years.
What Happened Afterwards
In 2016, Yahoo revealed that the Latvian hackers had compromised the security of all three billion user accounts. Their decision to hide the facts until three years after the breach cost their company a fine of $35 million. The federal court of San Jose also ordered Yahoo to create a $50 million fund to compensate users. They can get up to $375 from this fund, $25 for each hour that they had to correct mistakes and deal with issues caused by the attack. This is contingent on the user documenting said hours. People who can’t do so can still claim $125 from the fund.
The courts rejected this offer and ordered Yahoo to increase the settlement fund to $117.5 million. The company agreed to the requirement in April 2019. Yahoo suffered more humiliation afterward. Telecommunications provider Verizon was purchasing the company at the time, and the breach lowered the price tag by as much as $350 million.
A wise woman once compared trust to a mirror: you can repair a broken mirror, but the cracks will forever mar the reflection. Although the data breach was the fault of the hackers, Yahoo was responsible for the private information of billions of people. They made a mistake, and instead of warning their users of the threat, they chose to keep it quiet. That’s a hammer to the mirror of trust any day. If there’s any consolation, Verizon has folded Yahoo into several other assets, and what was once the Google of the ’90s is no more.