Yahoo faces 'at least' 23 lawsuits over its massive data breach
Yahoo offered more details on the security breach's effect on its business in an SEC filing on Wednesday.
Although the company says it only spent $1 million related to the breach last quarter, it admitted that the breach may "cause users and customers to curtail or stop using our products and services."
CEO Marissa Mayer said last month that she was "heartened" by Yahoo's users showing "continued loyalty as seen in our user engagement trends" despite the hack.
The breach could also cost the company more in the near future, as 23 lawsuits seeking class action status have been filed against Yahoo over the breach. However, Yahoo did not provide an estimate of what the total cost of the breach could be, only that it could be material.
Yahoo also said that several different government agencies were looking into the breach:
In addition, the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney's office for the Southern District of New York.
Yahoo listed effects from the "security incident" as risk factors facing the company.
"Yahoo is routinely targeted by outside third parties, including technically sophisticated and well-resourced state-sponsored actors, attempting to access or steal our user and customer data or otherwise compromise user accounts. We believe such a state-sponsored actor was responsible for the theft involved in the Security Incident," the company wrote.
The revelation of the hack has come at a time when Yahoo is in the process of selling itself to Verizon, and has thrown a potential wrench into the $4.8 billion deal, particularly if Yahoo users get spooked and stop using the service.
Here's what Yahoo had to say about the data breach being a risk factor:
The investigation into the Security Incident is ongoing and we are still in the process of determining all of the facts and assessing the full extent of its impact and the impact of related government investigations and civil litigation on our results of operations, which could be material.
The Security Incident involved the theft of certain user account information for at least 500 million user accounts. The investigation of the Security Incident is ongoing, and we are still in the process of assessing the financial and other effects of the Security Incident. We may identify additional information that was accessed or stolen, or develop a clearer understanding of the Security Incident, evidence of such compromise in 2014 or related issues, and other developments related to the Security Incident could occur, which could have an adverse impact on our business, results of operations, financial results, and reputation. For example, our forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users' accounts or account information. As a result of the Security Incident, we are facing at least 23 putative consumer class action lawsuits and other lawsuits and claims may be asserted by or on behalf of users, partners, shareholders, or others seeking damages or other related relief, allegedly arising out of the Security Incident. We are also facing investigations by a number of federal, state, and foreign governmental officials and agencies. These claims and investigations may adversely affect how we operate our business, divert the attention of management from the operation of the business, and result in additional costs and potential fines. In addition, the governmental agencies investigating the Security Incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties which could, among other things, materially increase our data security costs, and affect how we operate our systems and collect and use customer and user information.
Our security measures may be breached as they were in the Security Incident and user data accessed, which may cause users and customers to curtail or stop using our products and services, and may cause us to incur significant legal and financial exposure.
Our products and services involve the storage and transmission of Yahoo's users' and customers' personal and proprietary information in our facilities and on our equipment, networks, and corporate systems. Yahoo is routinely targeted by outside third parties, including technically sophisticated and well-resourced state-sponsored actors, attempting to access or steal our user and customer data or otherwise compromise user accounts. We believe such a state-sponsored actor was responsible for the theft involved in the Security Incident. Security breaches or other unauthorized access or actions expose us to a risk of theft of user data, regulatory actions, litigation, investigations, remediation costs, damage to our reputation and brand, loss of user and partner confidence in the security of our products and services and resulting fees, costs, and expenses, loss of revenue, damage to our reputation, and potential liability. Outside parties may attempt to fraudulently induce employees, users, partners, or customers to disclose sensitive information or take other actions to gain access to our data or our users' or customers' data. In addition, hardware, software, or applications we procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise network and data security. In addition, our or our partners' implementation of software may contain security vulnerabilities or may not be implemented properly due to human error or limitations in our systems. Additionally, some third parties, such as our distribution partners, service providers, vendors, and app developers, may receive or store information provided by us or by our users through applications that are integrated with Yahoo properties and services. If these third parties fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed. Security breaches or other unauthorized access (such as the Security Incident) have resulted in, and may in the future result in, a combination of significant legal and financial exposure, increased remediation and other costs, damage to our reputation, and a loss of confidence in the security of our products, services, and networks that could have a significantly adverse effect on our business. We take steps to prevent unauthorized access to our corporate systems, however, because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently or may be disguised or difficult to detect, or designed to remain dormant until a triggering event, we may be unable to anticipate these techniques or implement adequate preventative measures. Breaches of our security measures, such as the Security Incident, or perceived breaches, have caused and may in the future cause, the market perception of the effectiveness of our security measures to be harmed and cause us to lose users and customers.