Costs of the Yahoo data breach

You’ll remember that Yahoo suffered a significant data breach (affecting about 3 billion user accounts) in 2013, but didn’t get around to telling anyone until 2016.

The costs of that breach are now becoming clear:

  • $350 million reduction in the sale price when Yahoo sold its business to Verizon.
  • $50 million in damages to those whose accounts were compromised.
  • $35 million in lawyer-related fees.
  • For US users, two years of free credit-monitoring services.
  • 25% refund for Premium account users who were affected.

So, how much should Yahoo have spent on information security management? Well, $100 million would probably have preserved $350 million in enterprise value.

But Yahoo evidently did not see information security as a top-line, board-level risk management and accountability issue – and for that it continues to pay the price.