In a shocking announcement last month, Yahoo confirmed that data on 500 million user accounts was compromised in 2014, the largest data breach in history. Could it also become the most expensive?"
Yahoo is in the final phases of a deal with Verizon to sell itself to the telecom giant for a mind-boggling sum of $4.8 billion. The breach bombshell can’t have gone over well in Verizon corporate headquarters. The companies announced the sale in July, the same month Yahoo claims it discovered the two-year-old breach. Yet Yahoo only told Verizon about the breach in September, two days before it came clean publicly.
The sequence of events generated boatloads of brand-damaging media attention and set off a wave of speculation in the financial press that the deal could stall. Senior senators in Washington are talking about launching investigations into what Yahoo knew and whether it concealed the breach from Verizon to keep it from sinking the deal or lowering its offering price.
In the wake of the Yahoo breach and the ongoing fallout, it’s not hard to imagine scenarios where a data breach or cyberattack could cost billions of dollars. Perhaps a merger or acquisition deal falls through. Or the acquiring company’s stock takes a major hit, devaluing the company and hurting investors.
Investors are certainly paying attention to cybersecurity these days. Given the recent history of punitive fines and lawsuits against breached companies, it’s not unreasonable for risk-averse investors to steer clear or sell shares when companies are compromised. And now there’s a new investment strategy that sees risk in the potential for breaches based on security vulnerabilities.
In early September, the medical device manufacturer St. Jude Medical was blindsided by short-sellers betting against its stock value, after a security research firm tipped off the trading firm Muddy Waters that vulnerabilities in St. Jude’s implantable devices could lead to product recalls. St. Jude took a hit on its stock price, which fell by 5 percent in one day. And the company’s value dropped 7 percent below the $25 billion asking price in St. Jude’s acquisition by another company.
The financial arrangement between Muddy Waters and the security firm, MedSec Holdings, raises serious ethical questions. MedSec, which was founded by a former hedge fund manager, spent more than a year probing for vulnerabilities in St. Jude’s pacemakers and connected monitoring devices. The security firm had no intention of responsibly disclosing its findings to St. Jude before taking them public. Instead, MedSec provided the information to Muddy Waters, waiting until the investment firm shorted the stock before coming out with its findings.
Muddy Waters principal Carson Block later told media that the public disclosure was a benefit to consumers, who could have been harmed by attackers launching a “mass attack” against the devices using insecure protocols connecting pacemakers to home monitors and physicians. Yet MedSec’s research findings seem to have more holes than St. Jude’s devices. St. Jude said MedSec’s findings were based on false assumptions and describe an attack that would be almost impossible to carry out.
MedSec justified not disclosing to St. Jude because the “devices are so poorly protected,” it was likely the result of “gross negligence over many years,” and even if they told St. Jude the device manufacturer would “sweep it under the rug,” Block told Bloomberg news. “St. Jude has been putting profits before patients,” Block said. Not surprisingly, St. Jude is now suing Muddy Waters and MedSec.
In the end, it doesn’t matter if the St. Jude devices were actually vulnerable to real-world attacks or not. Muddy Waters’ short of St. Jude’s stock was self-fulfilling, which should give us pause to consider the possibility that unscrupulous “researchers” could pull this trick based on even less. Even the false perception of risk could be enough to drive investor behavior and put companies in a vise.
The St. Jude story underscores the importance of companies doing as much as possible to reduce the risk of vulnerabilities in every piece of software they use. For development teams, that means baking in security throughout the software lifecycle, beginning with systematic assessment of code as soon as developers write it, and continuous monitoring of applications in production.
There’s no excuse or forgiveness for ignorance of what’s in third-party code or software products either. Companies need to assess the code quality in open source components they use in developing their own software. And they may want to consider requiring software vendors to commit to an assessment of their code before purchasing their products.
The cost of breaches – and merely the possibility for security incidents – is becoming too great to take a chance on doing the bare minimum. A complete application security strategy is becoming a requirement. Customers expect it, lawmakers require it and investors demand it. You don’t want to be the next St. Jude or the next Yahoo. When it comes to application risk, no company is too big, or too small, to fail.