Yahoo! has determined, and disclosed, that all three billion of its email users were in fact compromised in its already massive, now more massive than believed, 2013 breach. It multiplies the largest breach in history by a factor of three. Yahoo!'s new corporate parent, Verizon, which closed its acquisition of Yahoo! this summer, disclosed the new figure late yesterday on the basis of fresh evidence. Coming on the heels of the Equifax debacle and numerous other data exposures we're now conditioned to regard as relatively small, this slow-developing mess has reinforced calls for data-security regulation at least as stringent as GDPR. It may also prompt stricter liability for corporate officers, perhaps even for government officials.
Equifax's departed CEO Richard Smith's Congressional testimony mollified few, and reinforced a picture of poor preparation and response. He said the breach originated with someone's failure in March to communicate that Apache Struts needed to be patched. A subsequent scan to identify software needing updates also failed to catch the oversight. (That second scan is being called a "failsafe" measure, which it seems incorrect. It was a redundant check; a failsafe system would shut down rather than permit operation in an unsafe mode.) Smith said the failed scan is "still under investigation by outside counsel."
Many are surprised to learn that the US Internal Revenue Service just gave Equifax a $7.25 million contract for tax fraud prevention work.
A large data breach affecting some six-thousand businesses and government agencies seems to be unfolding in India.