SAN FRANCISCO — Yahoo's trouble over its massive data breach is far from over.
The first of what is expected to be multiple lawsuits linked to the breach was brought in U.S. District Court in San Jose, Calif. Friday by customer Robert Schwartz, who accused Yahoo of failing to adequately protect his personal information from data breaches and identity theft. The suit seeks class action status.
Security and management experts are also questioning the timetable and disclosure process followed by Yahoo and its CEO Marissa Mayer in the two years since the breach happened and two months after bidding rounds led to a deal to sell Yahoo's core assets to Verizon Communications.
The hack could give buyer Verizon leeway to lower the $4.8 billion agreed in July — and perhaps even derail the deal.
"They (Verizon) are going to get a price discount," said Robert Cattanach, a lawyer who specializes in cyber security and data breaches at Washington, D.C. firm Dorsey & Whitney. "I would expect that there will be a fairly sophisticated effort to quantify the materiality of the impact of this breach and there would be some sort and price adjustment."
Shares of Yahoo (YHOO) fell 3% to $42.80. Verizon (VZ) ended up 0.4%. Representatives of both firms declined to comment.
Yahoo on Thursday said that it had been the victim of a breach in 2014 in which at least 500 million Yahoo accounts were stolen from the company in what it thought was a hack by a state-sponsored actor. The breach, which may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers, is one of the largest such thefts of its kind.
That it took so long for Yahoo to realize the hack had happened "seems to fall on the side of carelessness or negligence," said Rahul Telang, a professor of information systems at the Heinz College at Carnegie Mellon University.
Potentially more damning is the possibility Yahoo senior management knew about the intrusion but didn't disclose it to users, investors or bidders.
The Wall Street Journal, citing an unnamed source, said late Friday that Yahoo executives had detected hackers in Yahoo systems in fall 2014, believed linked to Russia. It wasn't clear if that breach of 30-40 accounts was linked to the larger theft of information disclosed Thursday.
The cascade of revelations about the massive theft threatens to delay the merger, expected to close in the first quarter of next year.
Verizon, which beat out multiple bidders for Yahoo assets that include Yahoo Finance, Yahoo Sports, Tumblr, and Flickr, said it only learned of the breach two days before Yahoo's public disclosure.
"I would [ask for a pause] if I was the buyer," said Chris Bulger, founder of Boston tech advisory bank Bulger Partners. "I would consider this a materially adverse change (a factor that could allow a party to back out of a sale) until my lawyer said don’t worry about it."
Bulger estimates that Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billion — more than Verizon's $4.8 billion paying price — making Yahoo "worthless," he said.
The breach also highlights how cybersecurity is becoming a bigger risk for business deals. Even a frequent acquirer like Verizon may not have done enough homework examining Yahoo's vulnerabilities.
“While it’s common to perform IT diligence to consider the value or extensibility of assets, organizations can overlook how a security incident could change the value,” said D.J. Vogel, a partner in the security and compliance practice of Sikich, a professional services firm in Naperville, Ill.
The reparations, or payouts to affected customers for credit monitoring and other services, may be the sticking point.
In many cases, the cost of reparations for a breach — $158 per record, according to security research center The Ponemon Institute — "surpasses the value of the deal,” agreed Steven Grossman, VP of strategy and enablement at Bay Dynamics, a computer security company.
Ironically, such reparations would bring Yahoo right back to where it was several months ago when its 15% stake in Alibaba accounted for nearly all of its market cap value of $33 billion. That reality led Mayer and the Yahoo board, under pressure from activist investors, to pursue a sale of the core business to extract value for shareholders.
Verizon could even call off the deal based on the findings of the subsequent investigation. “There are many shades of gray, depending on when Yahoo became certain of the breach," Grossman said. "If they were certain of it in July, depending on the terms of timing of disclosures, it could become a deal breaker."
Among those seeking answers are federal regulators, investors and, of course, Yahoo users, says Scott Kessler, an industry and equity research analyst with S&P Global Market Intelligence. "There are a lot of questions to be answered," he said. "Yahoo is going to be in a position to have to address some of those especially before the Verizon deal closes."
Even if the deal continues to go through, the breach will slow the expected gains that Verizon hoped for upon Yahoo's assimilation. “With IT systems to be integrated between both parties, this breach will add a considerable delay to convergence efforts between both parties’ infrastructures and ultimately affect operational capability,” said Stephen Coty, chief security evangelist at Alert Logic, a security firm.
Perhaps the breach was very sophisticated, Telang says, or maybe with Yahoo facing concerns about costs and, over the past year, the process of selling its core Net business "this is something that was a little bit on the back burner."
Mayer came to Yahoo more than four years ago from Google with the burden of turning around a troubled company outpaced in digital advertising by Google and Facebook.
If it is revealed that Yahoo scrimped on security while Mayer annually made $42.1 million (2014) and $36 million (2015), that would add to criticism of her time at the helm.
