This article was originally published at The Conversation. The publication contributed the article to Live Science's Expert Voices: Op-Ed & Insights.
In late September, Yahoo announced that at least 500 million user accounts had been compromised. The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data. Large data breaches have become increasingly common: Just in 2016 we have found out about Yahoo’s breach as well as the LinkedIn hack (compromising 167 million accounts) and the MySpace breach (360 million accounts).
The Yahoo breach affected more users than the other two, but all of them share a crucial element: They were announced to the public years after the fact. The LinkedIn hack happened in 2012, MySpace was breached in 2013 and Yahoo was hacked in 2014. Not until 2016 did users of the three sites found out their information had been stolen.
When personal information is stolen, rapid response is important. Customers need to change their passwords, and take other steps to protect their identity, including securing bank accounts and credit records. If people don’t know a breach has occurred and that they need to take these protective steps, they remain vulnerable.
So why does it take such a long time for companies to disclose that they have been hacked? It’s not as simple as you might think – or hope.
But more than a month later, the company filed a document with U.S. financial regulators saying it didn’t know of any claims of “unauthorized access” that might have an effect on its pending sale to Verizon. And Verizon said publicly that it had heard about the breach only two days before Yahoo announced it to the world.
All those events, of course, were years after the breach had actually happened. This is an uncommonly long delay. According to a recent report from network security firm FireEye, in 2015 the median amount of time an organization’s network was compromised before the breach was discovered was 146 days.
That includes all sizes of companies in all types of business. As a major internet company with an extremely large user base, it’s reasonable to expect Yahoo might detect – and disclose – breaches much sooner than other firms.
In addition, anyone on the internet can claim anything they want – companies have to investigate their systems to find out whether someone who is advertising they have login information for sale actually took anything, or is just making it up to cause trouble.
Nontechnical reasons that Yahoo took so long to discover the hack could include frequent changes in leadership of its security team and the companywide stress of finding a buyer.
At present there is no federal law regarding when companies must tell the public about information security breaches. In 2015, Democrats proposed giving firms 30 days from discovering a hack to announcing it had happened. That effort failed because many states, which have varying requirements, have stricter standards that the federal law would have overruled.
Lawsuits filed after the breaches have cost companies millions in settlement costs, not to mention legal fees and lost business. The lesson is clear: Early disclosure of a data breach is better. If Yahoo knew about its hack as early as August – or even years ago – and took this long to announce it to the public, the company has manifestly betrayed its users’ trust.
Though Yahoo urged users to change their passwords and security questions after the public disclosure of the security breach, thousands of users took to social media to express anger that it had taken the company two years to uncover the data breach. The lawsuits filed against Yahoo are mounting.
It can be extremely difficult for companies, even tech-focused ones like Yahoo, to protect themselves from skilled and determined hackers. But not reporting the attack as soon as it’s suspected can be almost as damaging as the hack itself.
Yanfang Ye, Assistant Professor of Computer Science and Electrical Engineering, West Virginia University
This article was originally published on The Conversation. Read the original article.