Earlier this month, Yahoo revealed that it suffered a massive hack in 2013 that affected at least 1 billion user accounts. That came just three months after the company disclosed a hack from 2014 that affected 500 million accounts.
The breaches are thought to be the biggest of all time, presenting uncharted territory for regulators at the Federal Trade Commission, which have thus far levied fines in cases that were a fraction of the size.
But beyond the scale of the breach, Yahoo is unique in that so many people use their Yahoo email as the credential to log into other internet services such as messaging or banking, and now those services are compromised as well.
“Transactions performed over email may be compromised and that can include all sorts of sensitive data,” said Steve Rubin, a lawyer at Moritt Hock & Hamroff who specializes in digital security. “Aside from the number of customers, the nature of this data presents potentially far reaching ramifications.”
Recent SEC filings from Yahoo show that that company has been in touch with the FTC, federal prosecutors’ offices, state attorneys general and other regulators, although not necessarily as part of any investigation. According to regulatory insiders and legal experts that spoke to VICE News, the FTC is likely the agency that will take the lead on any investigation that would materialize.
“The FTC has a responsibility for and can take legal action against companies for not properly safeguarding people’s data,” said one White House official. “And they have a record of taking enforcement actions and making those actions stick.”
As to how regulators might take on enforcement, Northeastern University professor Andrea Matwyshyn, who has advised the FTC on data security policy, said that a major question regulators going forward is the lack of precedent for something like the Yahoo hack. The SEC, for example, would handle an investigation pertaining to whether investors were properly advised of the risks of a major breach. But it’s not clear what the SEC might do.
“Because of the limited case data and enforcement history, we don’t have a legal sense of what the SEC views as adequate [disclosure of risk],” Matwyshyn said. As for the FTC, which doesn’t publicly announce such investigations, Matwyshyn added that “certainly this kind of a security breach is consistent with the attack patterns that have given rise to FTC investigations in the past.””
Both the FTC and Yahoo declined to comment for this story.
The most recent comparable example in terms of the kind of information exposed was the hack of the dating service Ashley Madison, which affected 33 million accounts — a fraction of the number exposed in the Yahoo hacks. The company recently settled its case with the FTC and other regulators for $17.5 million, though it will only pay $1.6 million because the business is in serious financial trouble.
Though Yahoo doesn’t appear to be as dire a financial situation as Ashley Madison (Yahoo reported $1.4 billion in bank at the end of September), the company will likely be able to duck paying out a financially crippling fine. That’s because the FTC’s ability to levy fines has been limited. The largest fine it’s ever levied was a $100 million settlement against Lifelock for false advertising. Commissioners have in the past asked Congress for authorization to levy stiffer civil penalties, and though Democrats in the U.S. Senate have been making noise about the Yahoo hacks, it’s unclear if that will amount to anything.
But even if regulators decline to pursue an investigation of Yahoo, the company could instead face financial pressure.
Yahoo is in the process of selling itself to Verizon for $4.8 billion. Verizon was already reportedly pretty queasy after the September hack was revealed, and Bloomberg now reports that the company has an internal legal team exploring whether Verizon can get a discount on or exit entirely from the Yahoo acquisition.
Then there’s the inevitable lawsuits from Yahoo’s own users. Within hours and days of when the hacks were disclosed in September and December, Yahoo was hit with multiple class-action lawsuits. And according to Steve Rubin, a successful class-action could hit Yahoo significantly, because the potential size of the class is so large.
In the aftermath of Target’s own giant 2013 hack that compromised the information of 40 million credit cards, the retailer agreed to pay $10 million to settle its own class-action lawsuit. When asked how the Target breach compared to the Yahoo hacks in severity and size, Rubin said that the Yahoo breaches “dwarf” what happened at Target.
Correction (December 23, 2:25 p.m.): A previous version of this article misquoted Professor Andrea Matwyshyn discussing the enforcement policies of the FTC. She was referring tot the SEC.