2016 was a record setting year for data breaches and hacks. In the last few months of the year Yahoo began making headline news for all the wrong reasons with two stories around how it was the victim of the largest cyber-attack in history, which saw one billion accounts being compromised. Making this situation all the more worst for Yahoo, was the fact that it was in the process of being acquired by Verizon.
This hack in fact has resulted in Verizon paying $350 million less for Yahoo and receiving confirmation from Yahoo’s board that any future legal costs or reparations will be jointly covered. The bad news of companies across the globe is that Yahoo’s attack is likely to only be the beginning. As cyber attacks escalate in both their volume and size the dangers to companies looking at acquiring others rises.
Part of the problem for the acquirer is the sheer size and scale that many merger and acquisitions (M&As) take. With so many moving parts involved in a large scale M&A, the implications of forgoing cyber security checks can be far from the buyer’s mind. Contracts, staffing and legal frameworks, often appear more pressing as deadlines approach than carrying out cyber security checks. Nevertheless, overlooking checks can prove detrimental later on, when contracts have already been signed and deals are completed. Once a data breach is found, even if it took place years before an acquisition was planned, as it might have happened in Yahoo’s case, the purchasing company can be held responsible and consequently suffer the penalties, charges and inevitable loss of reputation.
Eventually, when a data breach does come to light, reputations and financial losses can quickly escalate. For those who worked hard on the deal, a career defining moment can instantly turn into a dreadful and ongoing nightmare.
Verizon’s deal to buy Yahoo is just one example of what can happen if the correct cyber security checks are not carried out. What seemed like a straight forward M&A deal between two of the world’s largest technology companies, quickly evolved into a PR disaster. With Verizon having agreed to buy Yahoo for $4.8 billion, it quickly became clear that the correct checks had not been carried out and that the deal might not happen. Once the dust had settled, and the legal teams from both parties had reached an agreement, a sizable discount was added, bring the value of Yahoo down by $350 million.
The cost of an attack
In many ways though, Yahoo and Verizon can be seen as getting off lightly. The financial impact of a data breach can easily spiral into large sums of money, with some estimates placing the average cost at $221 per stolen record in the US. If this is applied to the smallest of Yahoo’s reported attacks the total would be over $100 billion. Furthermore, a company’s share price tends to dip after a breach, with the likes of TalkTalk slashing 20 percent off its share price in the months after its widely broadcast cyber-attack.
