Verizon rethinking $4.8-bn Yahoo deal over data breaches

16 Dec 2016

Verizon Communications Inc is looking at ways to modify its $4.8-billion deal to buy Yahoo Inc's core internet business after the technology company disclosed a second massive data breach (See: Yahoo data breach could affect Verizon deal: Verizon executive), sources told Reuters on Thursday. Yahoo Inc shares fell almost 5 per cent after the breach of data belonging to more than 1 billion users was disclosed, following another large hack reported in September.

Verizon is seeking to persuade Yahoo to amend the terms of the acquisition agreement made in July to reflect the economic impact of the data (Verizon pushing for $1-bn discount on deal to buy Yahoo) breaches, according to the Reuters report citing people familiar with the matter.  The telecommunications company has threatened to go to court to get out of the deal if it is not re-priced, citing a material adverse effect, said the sources, who asked not to be identified because the negotiations are confidential.

Verizon still expects to go through with the deal, but is looking for "major concessions" in light of the most recent breach, according to the report. Reuters' sources did not know what kind of concessions Verizon is pushing for.

Verizon had already said in October it was reviewing the deal after September's breach disclosure. Late on Wednesday, it said it would "review the impact of this new development before reaching any final conclusions" about whether to proceed.

The company declined to comment beyond that statement on Thursday.

Sunnyvale, California-based Yahoo said late on Wednesday that it had uncovered a 2013 cyber attack that compromised data of more than 1 billion user accounts, the largest breach in history.

That followed Yahoo's disclosure in September of a separate breach that affected over 500 million accounts, which the company said it believed was launched by different hackers. Yahoo shares were down 4.7 per cent at $39.00 on Thursday.

The White House said on Thursday the US Federal Bureau of Investigation was probing the breach. Several lawsuits seeking class-action status on behalf of Yahoo shareholders have been filed, or are in the works.

The latest breach has drawn widespread criticism of Yahoo from security experts, several of whom have advised consumers to close their Yahoo accounts.

"Yahoo has fallen down on security in so many ways I have to recommend that if you have an active Yahoo email account, either direct with Yahoo or via a partner like AT&T, get rid of it," Stu Sjouwerman, chief executive of cyber security firm KnowBe4 Inc, said in a broadly distributed email.

Germany's cyber security authority, the Federal Office for Information Security (BSI), advised German consumers to consider switching to safer alternatives for email, and criticized Yahoo for failing to adopt modern encryption techniques to protect users' personal data.

"Considering the repeated cases of data theft, users should look more closely at which services they want to use in the future and security should play a part in that decision," BSI president Arne Schoenbohm said in a statement.

Meanwhile, Democratic Senator Mark Warner of Virginia said he was looking into Yahoo's cyber security practices.

"This most-recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users," he said in a statement.

Warner, who will become the top Democrat on the Senate Intelligence Committee next year, described the hacks as "deeply troubling". He said he had repeatedly asked Yahoo for briefings about the 2014 hack, which affected 500 million accounts, but had not received a response.

After the 2014 hack, which was disclosed in September, Warner asked the US Securities and Exchange Commission to investigate whether Yahoo had fulfilled obligations to inform investors and the public about it.

"If a breach occurs, consumers should not be first learning of it three years later," Warner said on Thursday. "Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites."

Yahoo has said the data stolen from more than 1 billion user accounts may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.