Categories & Search

Aftermath of the Yahoo Breach: M&A Risk and Cybersecurity

In the midst of its acquisition by Verizon Communications Inc., Yahoo Inc. disclosed what looks like one of the largest reported thefts of user information in U.S. history.

Yahoo  has confirmed that a “state-sponsored” hacker stole personal information for at least 500 million customers.  The hack apparently compromised user names, hashed passwords, telephone numbers, street addresses and birth dates.  Yahoo reports that no payment-card data or bank account information was stolen.

The breach comes just months after Yahoo entered into an agreement with Verizon to sell Yahoo’s core operating business for $4.8 billion.  Needless to say, this news could not have come at a worse time for Yahoo and underscores that cybersecurity concerns have become a key issue in M&A activity.  For that reason, companies have undergone cybersecurity vulnerability assessments long before going to market to avoid a hiccup – or even worse – prior to a sale.

Since the facts surrounding this breach are still unfolding, it’s too early to tell what impact it will have on the proposed transaction.  In the merger agreement, Yahoo represents that to its knowledge, “there have not been any incidents of, or third-party claims alleging” security breaches or thefts of user information that “could be reasonably be expected” to have a material adverse effect on the company’s business.

While these so-called “MAE” or “MAC” clauses provide an escape hatch for acquirers when confronted with material unforeseen circumstances, such disclosures are equally likely to trigger a renegotiation of the transaction price.

Either way, life has gotten more complicated for Yahoo.  Late Friday, at least three class action lawsuits had been filed in Illinois and California accusing the company of failing to secure customer information and “to establish and implement basic data security protocols, contrary to Yahoo’s guarantees, its users’ personal information is now in the hands of criminals and/or enemies of the U.S.”

This is not the first time Yahoo’s data has been breached.  In 2012, the company acknowledged that more than 450,000 user accounts were compromised.

For now, Yahoo has said that it is continuing to investigate the breach.  In the coming weeks, we’ll be following the implications of this massive theft of customer information.