In 2015 I was targeted by scammers who claimed to be from Microsoft and said that I had a virus on my Dell computer. Another graduate student had originally registered the computer with Dell technical support. When the hard drive failed I updated the phone number, but I had overlooked updating the name in the contact info. When the scammers called me they addressed me by the name of the other grad student. I tried to report this breach to Dell at the time, but I didn't get anywhere. Seeing this news reminded me of the incident and I searched to see if Dell had disclosed the breach. I found a few articles from early 2016 where others were reporting similar experiences but Dell was not admitting at that time that they had experienced a breach [1-3]. In May 2016 Dell still claimed that they had "no indication that customer information used in the scams has been obtained through an external attack" [4]. Does anyone know if they ever admitted to the breach? They ought to be sanctioned as well if they failed to disclose.
I found a couple Hacker News threads related to this breach [1,2]. Did anyone end up reporting it to the FTC? I just filed a tip with the SEC. Curious to see if they follow up.
Somebody got my information from somewhere - I have no clue, and tried to target me with the Microsoft Support scam. It was hilarious, and I wrote about my own experience[1], but I do wonder how many unsuspecting folks fall prey to it. :(
They're possibly telling the truth. Maybe they weren't breached. They may have just sold their customer list to to one of their "marketing partners" who was either breached or are the crooked actors themselves.
Hundreds of millions of users had their data stolen. Putting this fine at less than a dollar per user. Is that really what our private information and security is worth? Who cares if they're being fined when it's a slap on the wrist. To all those talking about billion dollar fines on Facebook: fat chance.
I mean, the crime here isn’t against users, it’s against investors right? That’s why the SEC involved. I don’t even know who enforces the meager consumer privacy protections we have these days.
> I don’t even know who enforces the meager consumer privacy protections we have these days.
Based on the fact that the ISPs lobbied to be able to sell browsing history... I don't think any government agency truly enforces consumer privacy protection.
FB's case is different. I think the term for FB's case is private data abuse rather than leak. Cambridge Analytica took the data through API just like every other app doing at the time, but violated the terms of use. FB is guilty because it designed the wrong way (no excuse) to share the information (still under consent). For example, banks share your personal info around all the time (say promo mails). For Yahoo, that's ... poor technology & management.
you're making the case that Facebook was negligent and Yahoo wasn't. I don't think that's true because Yahoo kept the hack a secret from auditors and users for 3 years.
Considering there was a foreign state agent involved in the hack, we should consider the possibility that Yahoo could not disclose the hack even if they wanted to.
As this is the SEC, making a fine on behalf of investors, it reflects the impact to investors. That being, that unfortunately most users continue to use platforms in spite of serious security and/or privacy concerns. Combined with weak consumer protection, this makes the consequences for the company fairly minor.
Most users will give away their personal data for a discount of less than a dollar, sometimes even for free. So yeah, the market rate for our personal information is very low per person.
So about a $1 fine for every 100 accounts exposed [1]. Also the entire sum is less than what Marissa Mayer got every year in salary [2], as we well as a small fraction of what she got as compensation for selling Yahoo to Verizon [3].
Agreed, the $35 million penalty was to settle charges that Yahoo "misled investors by failing to disclose one of the world’s largest data breaches".
The breach occurred on Dec 14th 2014 and it wasn't disclosed until 2016 during the acquisition by Verizon.
Taken from the sec's site:
" Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. . Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure."
It says “for adjective adjective cyber theft”, which implies the undisclosed is just modifiyig the object they were fined for. GP is not alone in their confusion, top comment right now is talking about how it’s a slap on the wrist _for the breach_ (and not for the lack of disclosure).
A better title would be “SEC Penalizes Yahoo for Failure to disclose Massive security breach”
Wow, I can't believe Marissa Mayer got away with all this, pocketing a nice lump sum and while still being portrayed as some heroic female icon. I paid a lot for her incompetence - Hackers took control of my bank accounts and I wasn't able to login into my net banking without visiting my nearest branch. I know I wasn't the only one. Fuck Yahoo. Fuck Mayer.
Does this kind of stuff damage CEO's reputation in the job market? I'm trying to grasp what was at stake that made the executive(s) withhold publicizing the breach...
Not to get too cynical, but... it shows loyalty. A CEO that presided over a security breach, kept it as quiet as possible, and only cost the company $35MM. Like it or not, his job is to protect the company, not the users.
Compared to, say, Zuckerberg or Equifax's public raking over the coals.
>A CEO that presided over a security breach, kept it as quiet as possible, and only cost the company $35MM. Like it or not, his job is to protect the company, not the users.
Sorry to be pedantic but it'd be 'her job', in this case - Marissa Mayer was CEO at the time.
I wasn't sure which to say. Marissa was CEO at the time of the breach, and Tim Armstrong is CEO now.
She testified and took a lot of the blame, whereas the fine happened under Tim Armstrong. I figured I'd go with the latter since that's when the fine came down, but I think both deserve credit (good or bad).
English is not my first language, so forgive my asking, but isn’t that sort of uncomfortable to use? Looking at the examples given, they’re all PA announcements or something similarly detatched. It also seems easy to confuse with the plural. What’s the point of decreasing the clarity and utility of language for the sake of a percent of a percent who might be bothered?
English is my first language, and I think it sounds fine:
> A CEO ... . Like it or not, their job is to protect the company, not the users.
It wouldn't sound as correct if the subject was a specific person. In that case the gender-specific pronoun would be better.
> Marissa Mayer, as CEO ... . Like it or not, her job is to protect the company, not the users.
Even so, use of 'their' in the latter example would still be acceptable, if a little odd, because it's referring more to the role than the person (I think).
[edit] for what it's worth, I think you're overwhelming underestimating the percentage of people who think more gender-inclusive language is a useful thing.
That said, I didn't suggest the option because I was trying to make that point, I suggested it because the parent was dealing with a situation (unsure of gender of the CEO) where use of the singular they is really effective.
It's commonly used, at least in the UK, in informal speech even where the intent isn't to be gender-neutral, so it doesn't feel uncomfortable to use at all.
Might I suggest you consult with professional linguists and grammarians on this topic? They will soon disabuse you of this prescriptivist nonsense about 'singular they'.
Language has always changed with time. The singular they is very well accepted today and has been for decades in most English speaking cultures. I find it interesting that some people seem to find it necessary to defend the older forms - not sure what purpose that serves.
They exist and should be respected, but represent a tiny minority. Changing pronouns for everyone to please that fraction of the population seems silly unless you’re addressing that fraction.
It could potentially cost far more- the $35MM is just the SEC fine, they could still be subject to other actions by differing agencies. Whether that can or will actually happen? Who knows..
but in any case, yahoo is already effectively dead, so this is pretty meaningless imho
[1] https://krebsonsecurity.com/2016/02/dell-to-customers-report...
[2] https://www.cio.com/article/3020733/security/scammers-target...
[3] https://arstechnica.com/information-technology/2016/01/lates...
[4] https://blog.dell.com/en-us/dell-phone-tech-support-scams/