Yahoo’s Data Breach: What’s the Real Crime?

Fueled by a recently revealed data breach of monumental proportions, a class-action lawsuit was filed in San Diego against Yahoo Inc. (just a mere few hours after the company publicly acknowledged any invasive activity) that included allegations of negligence, misrepresentation, invasion of privacy and even deception. Time will tell how the case plays out, but many in the industry are questioning one point—was the company’s inability to detect the problem earlier the most egregious injustice of all?

According to sources, one of the largest security hacks in history—involving over 500 million user accounts—was discovered a full two years after the incursion occurred. Making matters worse, the subversive act was uncovered in the midst of a $4.83 billion acquisition by telecommunications giant, Verizon, only because Yahoo security experts were investigating another potential data breach that turned out to be unfounded.

Certainly not the only Fortune 500 player to have problems with the security of their customer’s data in this digital age, Yahoo is finding itself in the company of other big players such as Home Depot, Target and Premera Blue Cross—all of which have recently endured not only data theft, but also scathing after-the-fact analysis of their efforts to protect such sensitive information in the first place.

While this intrusion upon Yahoo may simply be the latest in a string of high-profile, online data hijackings that some web users are beginning to view as the price of utilizing Internet services, it is becoming increasingly apparent that this might only be the tip of the virtual iceberg, as there’s no indication as to the full extent of which personal data has been compromised—mainly because stolen data is now being used in different ways that defy easy detection.

One such technique that criminals are using is called “credential stuffing.” In such situations, hackers obtain bits of personal data from different accounts over time—slowly building a dossier of sorts on individual consumers. Once there’s enough data accumulated to enable a scam, the dossiers are sold on the black market. These behaviors differ from data hacks of the past because thieves aren’t necessarily opting for immediate use of credit card and social security numbers. Often, they are slowly siphoning valuable benefits from online gaming accounts, airline loyalty programs and even stored balances on cards for popular coffee chains.

So, the landscape is changing. The once obvious trail of breadcrumbs in such cases is crumbling into indiscernible dust. But where does that leave us? How are we to detect such fraudulent activity in the future and who are we hoping to hold accountable when there is no singular source? Many say this is a question of corporate governance… or possibly an issue for governmental intervention. While not the answer most want to hear, this incident might signal a new era for online users, one where they must shoulder more of the responsibility and remain ever watchful—as it’s the theft of their identity that is ultimately at stake.