Verizon’s risky business: Acquiring the world’s biggest hack

The Verizon RISK Team – which publishes the popular Data Breach Investigations Report (DBIR) and performs cyber investigations for hundreds of commercial enterprises and government agencies across the globe – just released its 2017 Data Breach Digest.

Yahoo suffered the biggest known hack of user data ever, with more than 1 billion user accounts exposed.

Talk about polar opposites. And to think, Verizon Communications, Inc. will be acquiring Yahoo, Inc.’s core business for nearly $4.5 billion. The price tag is roughly $350 million less than what Verizon – the market leading U.S. wireless carrier – originally offered.

The cost per breach – as Verizon’s RISK group calls it when determining the fallout in connection with a hack – on the Verizon and Yahoo! deal is staggering. $350 million is just for starters.

A story in Marketing Week this past summer reported that YouGov’s BrandIndex – which measures corporate reputations – gave Yahoo a score of less than 4, compared with Google’s score of 36.

Yahoo already has a shrunken reputation as an old school internet company trying to go new school with its Flickr, Tumblr, and other digital properties. The value of its business is tied to how many people are tuning their PCs, laptops, tablets, and smartphones into Yahoo channels.

Google’s Gmail is used by more than 1 billion people and poses a major threat to Yahoo’s user base. Switching from Yahoo Mail to Gmail is easy, and offers users more data security and peace of mind – with comparable services for photo sharing and other social activities. A mass defection of its email users would be a huge and costly blow to Yahoo.

Brian Krebs, author of the immensely popular blog Krebs on Security, a top source for deep-dive investigations into the latest hacks and breaches launched against corporations and governments, has been urging his friends and family to migrate off Yahoo mail for years. His blog states that Yahoo appeared to fall far behind its peers in blocking spam and other email-based attacks. A recent CSO story reports that Google’s state-of-the-art email classifier detects abusive messages with 99.9 percent accuracy.

The big picture for Verizon – which originally offered nearly $5 billion to buy Yahoo – is taking over a massive (and hopefully loyal) user base. The more eyeballs for Verizon, the more advertising dollars for them.

An interesting twist on the deal – and one that Verizon corporate may not be thinking through – is how its own RISK Team may further devalue the Yahoo brand. The cybersecurity industry is sure to press for a DBIR assessment on the total cost-per-breach in connection with the Yahoo hacks.

Reputational harm due to a major data breach can be devastating. Target’s reputation took a post-hack beating in 2013… and to this day the company remains inextricably linked to the list of biggest hack victims ever. Target, Sony, OPM, Yahoo, etc. – not the kind of list that any company wants to be on.

When the deal closes, will Verizon’s RISK Team provide a report on the total damage costs involved with the Yahoo hacks? Is it possible that the total cost per breach would add another zero to the end of that $350 million? And what if they fail to provide a report? That could damage the RISK Team’s brand.

In 2016, Verizon’s RISK team investigated more than 500 cybersecurity incidents in more than 40 countries. The Verizon Enterprise Security group has been securing enterprise-level networks and infrastructure for decades. They provide professional services, network and gateway security, security monitoring and operations, incident response, and other security services. That’s a big business in of itself – and one with lots of headroom for growth if Verizon corporate is serious about cybersecurity, a market that is projected to be worth $1 trillion over the next five years.

Security is at the core of Verizon’s business – which includes network security around its customers wireless data. The trustworthiness of the Verizon brand is central to its market value.

Cybersecurity Ventures conducted a Twitter poll – asking is the Yahoo acquisition good or bad for Verizon’s security business. Seventy-seven percent of respondents voted bad, and 23 percent voted good. (Disclaimer: Steve Morgan is founder and Editor-In-Chief at Cybersecurity Ventures, and he votes Good – more on that in a future story.)

One respondent, Thomas Doty, Esq., wrote “Bad. If the major oversight exhibited in the security and technical due diligence portion of this M&A action is any indication of Verizon’s security IAM, then it indicates no benefit from that side of either organization. The breach liability tail surrounding this acquisition should have killed the deal, and may highlight that Verizon DBIR really is not reputable when it comes to actual security advice at a board level.” Doty describes himself as a cyber evangelist with over 30 years technology experience as startup adviser, legal strategist, entrepreneur, attorney and military veteran.

Most of the other respondents – which included corporate executives, CISOs, and IT security team members – chose to remain anonymous.

By any measure, the Yahoo deal is risky business for Verizon.