A Yahoo spokesperson originally told the media the malware incident occurred on Jan. 3, then updated its statement to extend the breach back to Dec. 31 -- despite the security company that uncovered the malware incident originally reporting its first evidence of the hack dated back to Dec. 30. Now the official timeline is Dec. 27 - Jan. 3. And while earlier assurances said that "users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected," the company now says that though the bulk of those exposed were on European sites, "a small fraction of users outside of this region may have been impacted as well."
Yahoo's announcement is similar to Target's recent reassessment of the number of people affected by its security breach. While the company initially announced that credit and debit card information was stolen from as many as 40 million people, on Friday Target said hackers may have compromised the personal data of an additional 70 million people -- and the information included names, phone numbers and e-mail addresses rather than financial data. These changing figures can leave consumers feeling like companies are dragging their feet responding to a breach, or worse, outright misleading the public.
But experts say these changes aren't necessarily the result of incompetence or deception, but rather are often due to the difficult nature of doing forensic analysis on cybercrimes. "I don’t find it surprising when statistics regarding a breach change", says Nick Levay, the Chief Security Officer at cybersecurity firm Bit9. (Full disclosure: Levay and I were previously colleagues at the Center for American Progress.)
"At any point during an investigation, you can discover something that changes your understanding of the scope, " Levay explains, adding that inquires can be "further complicated by the fact that many attackers employ anti-forensic techniques to impede investigators." Yahoo confirmed to The Post that the update to the attack timeline was the result of "further investigation" into the attack, which it described as a "complex" issue.
While this can be frustrating for the public relations team of a breached company, this challenge is also part of what attracts some people to the information security field. "From a practitioner's perspective, it’s like unraveling a mystery," says Levay. "Every system or log could contain a plot twist." But Yahoo and Target, assuredly, would both prefer fewer twists at this point.