Verizon on Thursday signaled that Yahoo's massive data breach disclosed three weeks ago was a significant event that could halt the telecom giant's $4.8 billion purchase of the tech firm's core business.
“I think we have a reasonable basis to believe right now that the impact is material,” Verizon General Counsel Craig Silliman said of the breach, speaking to a small group of reporters at a roundtable. A “material” effect in this case is one that would harm Yahoo's financial value, and make the Web giant less attractive to purchase.
This is the first time the company has publicly indicated that it's having doubts about the acquisition. The sale to Verizon comes after years of mismanagement by Yahoo executives who failed to adapt to a modern Internet industry. And the deal seems poised to close a tumultuous chapter in Yahoo's history.
Now, revelations of Verizon's internal deliberations threaten to cast an even bigger cloud over Yahoo's future.
The deal between Verizon and Yahoo is currently expected to close in the first quarter. Verizon said that the burden is on Yahoo to prove that the breach hasn't damaged its value."We're looking to Yahoo to demonstrate to us the full impact they believe it's not," Silliman said. If Verizon concludes the breach had a material impact on Yahoo's business, then a key condition of the deal would not be met, he said. Analysts say that could trigger an escape clause in the agreement to allow the telecom company to back out of the deal.
Yahoo said in a statement: “We are confident in Yahoo’s value and we continue to work toward integration with Verizon.”
Yahoo said it discovered the breach,
the largest recorded in history, in August. The firm said it occurred in 2014 and affected at least 500 million user accounts. The Silicon-Valley based company blamed it on “state-sponsored” hackers. And U.S. officials said privately that the FBI believes that it was the work of Russian government hackers, though no final conclusion has been reached.
Silliman said Yahoo has given Verizon “preliminary briefings” on the hack, “but we're certainly not done with the amount of information we need to receive from them. … We still have a significant way to go in terms of the information we need to get before we can make our final determinations.”
Verizon's investigation of the breach is currently 50 to 60 percent complete, said Verizon chief executive Lowell McAdam this week.
Yahoo's announcement last month about the hack raised eyebrows because it was in the midst of a sale. When companies report significant breaches, they rarely say who they suspect carried it out, or even if they think the culprit was a “nation-state” or a criminal.
Some analysts note that Yahoo could argue that a hack conducted by a government is a “force majeure” or unavoidable event rather than a “material adverse effect.” That could be used to prevent Verizon from abandoning the deal.
But Silliman made clear on Thursday that the “state-sponsored” nature of the breach would have no bearing on the analysis of materiality.
“From a legal perspective,” he said, “the question . . . ‘is it a state-sponsored attack?’ isn't really relevant in terms of what we're looking at. The question is whether this [had] a material or an adverse effect on the asset we are buying.”
If Verizon determined that the breach was material, then it could halt the acquisition and demand a return to the bargaining table, said Walt Piecyk, a telecom analyst at BTIG.
A report last week from the New York Post suggested Verizon could seek a $1 billion discount on the deal. McAdam dismissed those rumors Monday as “total speculation.”
Nonetheless, said Craig Moffett, a telecom analyst at MoffettNathanson, “declaring the hack to be a [material adverse change] is a clear prerequisite for demanding a price concession, so that is obviously the next shoe to drop.”
The apparent compromise of Yahoo by Russia is one among many by them. Russian government hackers have in recent years penetrated the networks of government agencies, defense contractors, media organizations, think tanks and political parties in the United States and Europe. They have in some cases conducted disruptive attacks and in others are suspected of being behind the leaking of hacked material in an effort to embarrass or rattle public figures and Western governments.
On Friday, the Obama administration formally accused Russia of attempting to interfere in the U.S. election, including by conducting hacks of political organizations.
The motives for a nation-state actor such as Russia in the Yahoo case “might range from actively collecting intelligence about their political dissidents, to targeting candid communications between government officials who might use private email as a means to circumvent official records management policies,” said Rich Barger, chief information officer of the cybersecurity firm ThreatConnect, who has closely analyzed Russian hacking campaigns.
Yahoo noted in its announcement that “online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.” Since December, it said, it has notified 10,000 customers that their accounts have been targeted by a state-sponsored actor. That's apart from the current case, it said.
The Yahoo breach affected names, email addresses, telephone numbers, birth dates, encrypted passwords and in some cases security questions and answers, the firm said. It urged customers to change their passwords and invalidate unencrypted security questions and answers. Financial data such as credit card information was not stolen.