Yahoo revealed a massive data breach that affects at least 500 million user accounts, far surpassing the estimated 80 million records hackers stole from health insurer Anthem in 2015, and potentially marking it as the largest successful breach in history.
The state-sponsored attack stole account information from Yahoo’s network in 2014 and may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and for some users, encrypted or unencrypted security questions and answers, Yahoo CISO Bob Lord said in a statement.
While the investigation is ongoing, it appears the stolen data didn’t include unprotected passwords, payment card data or bank account information, according to Lord. Credit card and bank account information aren’t stored on the system affected by the breach. Although Yahoo did not specify this, it's unlikely any protected health information or personally identifiable information would reside in those accoounts either.
According to the announcement, the cyber attacker is no longer in the network. Yahoo is working with law enforcement during the ongoing investigation. Officials will contact potentially affected users via email and have asked users to change passwords and account verification means.
All unencrypted security questions and answers have been invalidated by Yahoo to prevent unauthorized access, while the company is asking users to review accounts for suspicious activity and avoid downloading links from suspicious emails.
“An increasingly connected world has come with increasingly sophisticated threats,” Lord said. “Industry, government and users are constantly in the crosshairs of adversaries.”
Healthcare organizations are certainly no exception. Whereas it is too early to know for certain what the state-actor was seeking, much like the high-profile hacks of Target and Sony, lessons for healthcare chief information security officers, CIOs and other executives will likely emerge as the story unfolds.
Helpful advice on planning your purchase of IDS and IPS tools:
- How to know if your intrusion detection and prevention solution meets HIPAA compliance rules
- 3 key factors to plan your budget for an intrusion protection system
- What to watch: IDS and IPS features to consider when comparing different vendors products
