Equipo Nizkor
        Bookshop | Donate
Derechos | Equipo Nizkor       


What the Hacking at Yahoo Means for Verizon

It was the kind of phone call no chief executive wants to make — or receive — in the middle of a multibillion-dollar deal.

On Tuesday, Lowell McAdam, the head of Verizon Communications, was on the road. Marissa Mayer, the chief executive of Yahoo, was at work in Silicon Valley. Executives at both companies were moving forward on Verizon's $4.8 billion acquisition of Yahoo's core business.

But Ms. Mayer had some unexpected bad news. She caught up with Mr. McAdam and Marni Walden, a rising star at Verizon who is expected to oversee the Yahoo business after the deal is complete, by phone, according to people briefed on the call, who spoke on the condition of anonymity.

Yahoo recently discovered that at least 500 million of its user accounts had been breached by hackers two years ago, well before the two companies began talks. Yahoo and law enforcement officials were scrambling to unwind the intrusion.

After calling Mr. McAdam and Ms. Walden, Ms. Mayer phoned Tim Armstrong, who leads the AOL business at Verizon and will be overseeing the integration with Yahoo, according to the people briefed on the conversation. Again, the news was not good.

The calls set off a flurry of questions at Verizon — How could this possibly have happened? Who was behind it? Why is it only becoming known now? Could this jeopardize the deal? — but also the sounding of an alarm and the deployment of a triage team to assist Yahoo.

The telecom giant directed its online security experts, including Chandra McMahon, Verizon's chief information security officer, to do their own investigation of the hack. And they enlisted the help of Verizon's security division, part of its enterprise solutions business, which helps companies defend against and manage hacks.

Now, just a few days after Verizon learned of the breach, it is contending with the ramifications of what is believed to be the largest hack of a single company. Even as Verizon tries to assess the damage at Yahoo and prevent further security intrusions, the scope of the hack and the potential fallout — including the possibility of a costly class-action lawsuit — are inevitably prompting renewed scrutiny of a deal that was intended to transform the telecom behemoth into a digital media powerhouse.

For now, Verizon has given no indication of whether the breach will affect its plans to acquire Yahoo. On Friday, the company declined to provide a comment beyond a statement it issued on Thursday, in which it said it would evaluate the situation "as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."

On Friday, Yahoo said, "Our investigation into this matter is ongoing and the issues are complex."

The effort is complicated because the sales proceedings between Verizon and Yahoo are at an early stage. Though teams from the two companies were already working together on integration plans, Verizon does not yet own Yahoo. As a result, Verizon does not have direct access to the Silicon Valley company's servers to conduct its own investigation.

In late July, after the Verizon deal was announced, Yahoo became aware of a claim that about 280 million of its user credentials had been hacked, according to a person briefed on the specifics, who spoke on the condition of anonymity. Yahoo started an investigation but could not substantiate the claim, this person said. It was not clear on Friday whether Yahoo had made Verizon aware that it was looking into this claim in July.

During the course of that investigation, Yahoo learned of the more severe breach, which it has said it believes was state-sponsored. Yahoo has not yet said exactly when it realized how large the intrusion was, leaving open the question of whether Ms. Mayer and her team waited to notify Verizon of the hack. Yahoo is now working with outside security consultants and said its investigation was continuing.

Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.

"They could say, 'This thing is huge. We want to walk away from the transaction,'" he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.

Such claims can be difficult to prove in court. According to Mr. Quinn's reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information.

In the merger agreement, Yahoo states that "there have not been any incidents of, or third-party claims alleging" security breaches or thefts of user data that might result in a major change to the value of the company.

More likely, Mr. Quinn said, Verizon could pressure Yahoo to renegotiate the terms of the deal.

"They go to court, or threaten to go to court, and renegotiate the price," he said. "That can be a very winning strategy."

Like any big company contemplating an acquisition, Verizon performed due diligence on Yahoo before it agreed to the deal. It was not immediately clear, however, how seriously it took security issues during that process.

But Verizon would have known that Yahoo has a history of breaches. In 2012, Yahoo said that more than 450,000 user accounts had been hacked.

Such issues are increasingly pertinent to mergers and acquisitions. In a 2014 report, lawyers from Freshfields Bruckhaus Deringer wrote that corporate buyers were still not taking security due diligence seriously enough.

"With this concerted action and a series of high-profile strikes on businesses including eBay, Target and Yahoo, the risks of cyberattack are evident," they wrote.

"Yet as the global economy recovers and deal activity rises," the report continues, "increasing awareness of cyber-risk has not resulted in meaningful changes" to the mergers and acquisition process.

Verizon is purchasing Yahoo in the hope that the internet portal will make it a major player in the digital media business, positioning the company to compete with Google and Facebook for ad dollars. The biggest wireless carrier in the United States, with roots going back to the first telephone call in history, Verizon is facing declining revenue and is looking to Silicon Valley for growth.

Those motivations are unlikely to have changed in the course of two months. But it remains unclear whether this new information has made Yahoo a less desirable acquisition target.

Some of Verizon's executives have indicated they may be up to the challenge of a big hack. In a recent talk at Penn State University, Ms. McMahon, the telecom company's chief information security officer, suggested that she relished the cat-and-mouse game between hackers and companies.

"I love security," she said. "I love the offense and the defense of it. The bad guys are innovating just as much as the good guys in terms of their defense. Our job as defenders is to see all that."

[Source: By David Gelles, International New York Times, 23Sep16]

Bookshop Donate Radio Nizkor

Privacy and counterintelligence
small logoThis document has been published on 28Sep16 by the Equipo Nizkor and Derechos Human Rights. In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.