Yahoo security breach highlights cyber crime

Opinions in blog posts are the sole opinions of the author and do not reflect the views or opinions of 1.800.NoCuffs and The Kavinoky Law Firm.

yahoo-security-breach-highlights-cyber-crime
The reported Yahoo security breach announcement this week highlights the ever-lingering threat of cyber crime. Yahoo released a statement on September 22, 2016, saying, “information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.” (1)

Yahoo Security Breach

The Yahoo statement indicates that the stolen “information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” (1) However, Yahoo does not believe that financial information was affected.

Yahoo is pointing the finger at a “state-sponsored actor” for this data breach. (1)

The Wall Street Journal reports, “Yahoo Inc. executives detected hackers in their systems in fall 2014 who they believed were linked to Russia and were seeking data on 30 to 40 specific users of the company’s online services, a person familiar with the matter said. The person familiar with the matter didn’t know whether that attack led to the theft of information on 500 million user accounts, which Yahoo disclosed Thursday.” (2)

Identity Theft

Identity theft is a federal crime. The Identity Theft and Assumption Deterrence Act (3) was passed in 1998. It defines identity theft as when someone, “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law;”. (3)

Per the United States Department of Justice, “18 U.S.C. § 1028(a)(7). This offense, in most circumstances, carries a maximum term of 15 years’ imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.” (4)

The Department of Justice further states, “Schemes to commit identity theft or fraud may also involve violations of other statutes such as identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). Each of these federal offenses are felonies that carry substantial penalties ­ in some cases, as high as 30 years’ imprisonment, fines, and criminal forfeiture.” (4)

Excerpt from the Prosecuting Computer Crimes manual

“Several federal laws apply to identity theft, including 18 U.S.C. § 1028.
That section criminalizes eight types of conduct involving fraudulent
identification documents or the unlawful use of identification information.
Section 1028(a)(7), enacted as part of the Identity Theft and Assumption
Deterrence Act of 1998 and amended in 2004 by the Identity Theft Penalty
Enhancement Act, will apply to some network crime cases. See, e.g., United
States v. Sutcliffe, 505 F.3d 944 (9th Cir. 2007) (affirming conviction under
section 1028(a)(7) for posting stolen social security numbers on website).
Title 18, United States Code, Section 1028(a)(7) provides:

Whoever, in a circumstance described in subsection (c) of this section—
. . .
(7) knowingly transfers, possesses, or uses, without lawful
authority, a means of identification of another person with the
intent to commit, or to aid or abet, or in connection with, any
unlawful activity that constitutes a violation of Federal law, or
that constitutes a felony under any applicable State or local law . . .
shall be punished as provided in subsection (b) of this section.” (4)

Sources

1. Bob Lord. CISO September 22, 2016. Yahoo.com. Retrieved via https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security.
2. Robert McMillan. September 22, 2016. Wall Street Journal. “Yahoo Executives Detected a Hack Tied to Russia in 2014.” Retrieved via http://www.wsj.com/articles/yahoo-executives-detected-a-hack-tied-to-russia-in-2014-1474666865.
3. Identity Theft and Assumption Deterrence Act. As amended by Public Law 105-318, 112 Stat. 3007 (Oct. 30, 1998). Retrieved via https://www.ftc.gov/node/119459.
4. H. Marshall Jarrett Director, EOUSA. Michael W. Bailie Director, OLE. OLE Litigation Series. Ed Hagen
Assistant Director, OLE. Scott Eltringham Computer Crime and Intellectual Property Section Editor in Chief. “Prosecuting Computer Crimes. Computer Crime and Intellectual Property Section Criminal Division.” Retrieved via https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security.

Staff
Staff