Yahoo Security Breach: The Pee-Wee Purple Solecism
September 23, 2016
Remember ShrinkyDinks. Kids decorate pieces of plastic. The plastic then gets smaller when heated. I believe the ShrinkyDink management process has been disclosed. The innovator? Marissa Mayer, the former Google search guru turned business management maven.
What’s the ShrinkyDink approach to running a business? Take a revenue stream, decorate it with slick talk, and then reduce revenues and reputation. The result is a nifty entity with less value. Bad news? No. The upside is that Vanity Fair puts a positive spin on how bad news just get worse. A purple paradox!
ShrinkyDink Management. Pop business thinking into a slightly warmed market and watch those products and revenues become tinier as you watch in real time. Small is beautiful, right? I can envision a new study from Harvard University’s business school on the topic. Then comes an HBR podcast interview with Marissa Mayer, the Xoogler behind the ShrinkyDink method. A collaboration with Clayton Christensen is on deck. A book. Maybe a movie deal with Oliver Stone? As a follow up to “Snowden,” Stone writes, produces, and directs “Marissa: Making Big Little.” The film stars Ms. Mayer herself as the true Yahoo.
I read “Yahoo Verizon Deal May Be Complicated by Historic Hack.” Yahoo was “hacked,” according to the write up. Okay, but I read “hack” as a synonym for “We did not have adequate security in place.”
The write up points out:
The biggest question is when Yahoo found out about the breach and how long it waited to disclose it publicly, said Keatron Evans, a partner at consulting firm Blink Digital Security. (Kara Swisher at Recode reported that Verizon isn’t happy about Yahoo’s disclosures about the hack.)
CNBC points out that fixing the “problem” will be expensive. The write up includes this statement from the Xoogler run Yahoo:
“Such events could result in large expenditures to investigate or remediate, to recover data, to repair or replace networks or information systems, including changes to security measures, to deploy additional personnel, to defend litigation or to protect against similar future events, and may cause damage to our reputation or loss of revenue,” Yahoo warned.
Of interest to me is the notion that information about 500 million users was lost. The date of the problem seems to be about two years ago. My thought is that information about the breach took a long time to be discovered and disclosed.
Along the timeline was the sale of Yahoo to Verizon. Verizon issued a statement about this little surprise:
Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.
I highlighted in bold the two points which snagged my attention:
First, Verizon went through its due diligence and did not discover that Yahoo’s security had managed to lose 500 million customers’ data. What’s this say about Yahoo’s ability to figure out what’s going on in its own system? What’s this say about Yahoo management’s attention to detail? What’s this say about Verizon’s due diligence processes?
Second, Verizon seems to suggest that if its “interests” are not served, the former Baby Bell may want to rethink its deal to buy Yahoo. That’s understandable, but it raises the question, “What was Verizon’s Plan B if Yahoo presented the company with a surprise?” It seems there was no contingency, which is complementary with its approach to due diligence.
The decision making process at Yahoo has been, for me, wonky for a long time. The decision to release the breach information after the deal process and before the Verizon deal closes strikes me as an interesting management decision.
Some of the thoughts I jotted down when I learned about this interesting management decision were:
- Management judgment is a real issue for me. Marissa Mayer withheld the information in order to force the deal to fall through. Spite? A desire to remain in charge until the last Yahooligan leaves the staggering company?
- Yahoo’s technical capabilities are certainly in doubt. Why was the company unable to determine that a data breach of some magnitude went undetected, unresolved, and unreported for two years? Why weren’t routine security audits able to detect the issue?
- What about individual staff members? Were they unaware that systems had been compromised? Did no staff member charged with monitoring abnormal activity recorded in log files notice anything? Perhaps no one cared? Perhaps no one had this responsibility? Perhaps someone noticed and [a] did not bother to tell anyone or [b] did report it and the message was ignored? Was this a cover up?
Yahoo’s handling of its data loss makes the behavior of the managers at the Office of Personnel Management look darned good.
What’s next?
- Obviously the “value” of Yahoo has been reduced with the loss of credibility and the data itself. Yahoo’s technical acumen has been given the ShrinkyDink Dink treatment. Yahoo’s actions could be characterized as duplicitous.
- Verizon, despite its due diligence failures, may have an opportunity to shave some money off the purchase price of Yahoo. Verizon’s acquisition team might be described as careless or superficial in their review of the company’s security operations.
- Marissa Mayer may well be described as incompetent or mendacious by one of the whiz kid analysts who explain this incident to their high net worth clients.
Yep, motion picture grade story. If the movie deal falls through, perhaps Ms. Mayer can get a job at Wells Fargo Bank?
Stephen E Arnold, September 23, 2016