Yahoo has just acknowledged the theft of information relating to more than 1 billion customer account … in 2013. Yes, 3 years ago.
Faced with this situation, different interpretations can be found: either because of the analysis of the incident they suffered in 2014, which they reported in September they have extended the forensic analysis of what happened backwards and have discovered that in 2013 they had suffered the largest information theft ever suffered by a single company, or they already knew it and have decided to report it now before the news leaked out through another source. I can even think of a third possibility (and maybe even one of you could think a fourth): that it was a malicious leak now that Verizon is formalizing a bid for Yahoo.
If the first option were true, the situation would put on the table that Yahoo was not adequately monitoring the security of their entire IT infrastructure, as they had had a very high impact incident and had not even noticed it, which shows how bad the company was managing the security of its customers’ information.
If the second option were true, it would indicate that they did properly manage the security of their infrastructure and had detected the security incident. But it would almost be worse, because for whatever reasons they had decided to hide it from public opinion and, what is more serious, from its customers. It is of little use that now, 3 years later, they recommend to change their access codes.
I will not go into valuing the third possibility.
In any case, this news puts the focus on an issue that has been “in the spotlight” lately, and that without going further was the central theme in one of the roundtable discussions held in the 10 STIC CCN-CERT days that took place this week in Madrid organized by the CNI, and in which, by the way, S2 Grupo had a protagonist role of which I feel very proud. And the issue is the communication of security incidents by companies. Different actors participated in the round table discussion who are involved in the coordination of cybersecurity at national level such as the CCN, the CNPIC, the Spanish Agency for Data Protection and the Ministry of Energy, Tourism and Digital Agenda among others, the latter being responsible for the coordination of the transposition of the NIS directive into Spanish legislation.
Both the LPIC and the ENS (after the amendments that have modified their scope), such as the General Data Protection Regulation or the NIS Directive, establish, inter alia, the obligation to diligently communicate to competent authorities in each case any security incident that has a relevant impact on the services they provide or on the information they handle.
And for a company to be able to communicate an incident diligently, it must be able to know what is happening “in real time” in any of its headquarters and offices, and taking into account the different contexts that regulate the legal figures cited. We may be talking about a cyber incident, a physical incident, a leak of personal data, or the possible commission of a crime within their organization, which also links to the need, that the reform of the Penal Code communicated last year, to implement internal control systems that allow to detect any irregular fact that is occurring in a company.
In short, that 2017 is going to be a very interesting and very busy year for different reasons in our sector. We started with bad news from the point of view of security, and we ended up with a good one for those of us who are dedicated to this. You have to be positive ;)