A Business's Reputation Depends On How They Handle a Cyber Breach
It is over two weeks since news first broke of the biggest data breach in history, and the pressure continues to mount on Yahoo to disclose how much it already knew about the breach in 2014; did they intentionally delay disclosing the issue to a potential acquirer (Verizon)?
When they first publicly disclosed details of the attack (which resulted in the loss of data for 500 million users), Yahoo were at pains to say that they were the victims of a state-sponsored attack, although little supporting evidence was presented to suggest that this was indeed the case.
How to Handle Such a Breach?
This raises an interesting question regarding the reporting of such high profile breaches: do companies perceive that the public will have greater empathy and perhaps be less critical of a company if they have been the victim of a state-sponsored attack as opposed to a run-of-the-mill criminal? In fact, an increasing number of security experts are now suggesting that the massive breach was indeed carried out by criminals and not a nation state.
Recent reports have also suggested that the final number of records lost could be closer to 1 billion. Regardless of the final number, one of the main criticisms of this case is not necessarily how Yahoo lost the data two years ago (since, other than size, this was no better or worse than any number of publicised large data thefts), but more about why it took them so long to acknowledge it and the time it took to notify customers to take remedial action.
Large-scale data breaches will continue to be mainstream and it is important that companies continue to protect client data proportionately. However, as this recent case demonstrates, the integrity and reputation of a company will more likely be judged by the professionalism, honesty and openness in which a company responds.
It is yet another lesson for company board members, in preparation for the breaches that could one day happen to them.