You’ll remember that Yahoo suffered a significant data breach (affecting about 3 billion user accounts) in 2013, but didn’t get around to telling anyone until 2016.
The costs of that breach are now becoming clear:
- $350 million reduction in the sale price when Yahoo sold its business to Verizon.
- $50 million in damages to those whose accounts were compromised.
- $35 million in lawyer-related fees.
- For US users, two years of free credit-monitoring services.
- 25% refund for Premium account users who were affected.
So, how much should Yahoo have spent on information security management? Well, $100 million would probably have preserved $350 million in enterprise value.
But Yahoo evidently did not see information security as a top-line, board-level risk management and accountability issue – and for that it continues to pay the price.