carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Breach podcast - S1 Episode 4B

Episode 5—Which Russia hack? Part 2

Breach podcast logo

Which Russia hack? Part 2

Episode Notes and Transcript

Show notes

Featured guests include:

 

Damon McCoy
Damon is an assistant professor of computer science and engineering at New York University's Tandon School of Engineering.
Website: http://damonmccoy.com/

 

Dennis Dayman
Dennis is chief privacy and security officer at Return Path. He has more than 20 years of experience combating spam, security/privacy issues and data governance issues.
Twitter: @ddayman

 

Amy Knight
Amy Knight is a historian of the Soviet Union and Russia. She has been described by The New York Times as "the West's foremost scholar" of the KGB. Her most recent book is "Orders to Kill: The Putin Regime and Political Murder."
Twitter: @aknight613

 

Michael R. Isikoff
Isikoff is an American investigative journalist who is currently the Chief Investigative Correspondent at Yahoo News.
Twitter: @Isikoff

 

Andrei Soldatov
Andrei is a Russian investigative journalist and co-author of "The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries."
Twitter: @andreisoldatov

Transcript

Breach Episode 5 - Transcript

 

ALIA:

Last episode we tried -okay, I tried- to find a compelling, direct way to connect the alleged Russian Yahoo hacks to the alleged Russian DNC hacks, and to the alleged Russian social media hacks of the 2016 election.  

Can we get out the red yarn Bob, like can we connect the alleged Russian Yahoo hack to the alleged Russian DNC hack and election interference?  Can we do that?

 

BOB:

If this were a movie, the last scene of the movie would be one person was behind all of these things, all these allegations that seem to involve Russian hackers.  That's tempting to do, but extraordinary claims require extraordinary evidence, and we don't have that evidence.

 

ALIA:

Instead of the tidy dotted line, what we found was a murkier, complicated world of individual Russian cyberattacks, all connected to Russia’s larger ongoing cyber playbook, in which the Yahoo hack might have quietly signified the first time the US formally said ‘Hey, Russian FSB, we see you.”

This is Breach.

We pick right back up with that Yahoo indictment, in which the US made formal allegations against the Russian FSB for the first time, naming Center 18, the four hackers involved, and other FSB parties ‘known and unknown.’  The timing of this Yahoo indictment made for some tricky fallout back in Moscow.

 

ANDREI:

The problem is that this operation was actually exposed when they already were in the middle of the scandal of the DNC hack.

 

ALIA:

That’s our Russian journalist friend, Andrei Soldatov, talking about the Yahoo hack being exposed in the middle of the DNC scandal.

 

ANDREI:

Which means that the picture is getting more and more complicated.

 

ALIA:

The indictment of the Russian FSB and Center 18, the indictment for the Yahoo hack, hits four and a half months after the US election of Donald Trump. 

 

 

 

 

ANDREI:

And the very first reaction to the election was that we get some people sent to jail.  We’ve got two FSB high-ranking officers sent to jail in December of 2016.  And one of these guys, Dokuchaev, he’s actually an officer of the Information Security Center.

 

ALIA:

That’s our Dokuchaev, working in Center 18.  For a journalist like Andrei, this is infuriating, because- 

 

ANDREI:

You have no access to him or his lawyers, and actually the immediate result of him being sent to jail is that you can’t (understand) why he is there.  He is still there, actually.  He is still in the most secure prison facility in Russia, called Lefortovo, it’s a very famous prison.

 

ALIA:

That’s Moscow’s infamous Lefortovo prison, now under FSB control, formerly a site of KGB torture, keeping people horrified since it was built in 1881.

 

ANDREI:

I was once there interrogated by the FSB, so I remember this building very vividly.  We still do not know why he is there.  The reason was not provided.  It’s actually it’s very difficult to understand what actually happened with Yahoo operation.  Probably, one of the reasons why he was sent to jail, probably had something to do with Yahoo.  Or maybe it’s all about the DNC hack.  Or maybe it’s about something else.

 

BOB:

That’s so funny.  It is so very Russian.  Well, he could have been arrested for Yahoo, he could've been arrested for the DNC, or could’ve been arrested for something else.  So- 

 

ALIA:

Those are the options. 

 

BOB:

So what did we learn?  Nothing. 

 

ALIA:

So that's where Dmitry Dokuchaev ended up.  Dmitry Dokuchaev is possibly a double agent, and was thrown into a Russian prison, conveniently around 2016. 

 

BOB:

Immediately after the election, within days of this sanctioning document, yeah.

 

 

ALIA:

And so it's possible that he informed the United States of Russian meddling, then he was thrown into prison so he couldn’t talk to anyone. 

 

BOB:

That's the speculation, that Dokuchaev, again whose name appears on the indictment for being one of the ringleaders of the Yahoo hack, also was a source an informant for the US, and tipped the US off to Russian meddling in the election.  So that's another connection.  But again, this is speculation that's been reported.  We’re not making a legal case here, there’s no indictment.  We do know he's been arrested for treason and that he's locked away where he is not speaking to anybody. 

 

ALIA:

What happened to all our other hackers? 

 

BOB:

Alexsey Belan, who is the one who appeared in the sanctions that were issued by the state department and Pres. Obama, right after the election.  As far as we know, he's in Russia, perhaps being actively protected by the Russian Government, and perhaps they are even feeding him intelligence on how he can continue to evade law enforcement.  And perhaps he’s still doing the kind of work he was doing before, but we don't know.

 

ALIA:

So Belan is laying low.  Karim Baratov?

 

BOB:

Your penpal Baratov, is awaiting sentencing, was supposed to be this winter, but it's been postponed a couple of times.  So he's sitting in a jail, waiting to find out how long he's going to have to sit in that jail. 

 

ALIA:

Quick update on that: Karim Baratov’s sentencing is finally scheduled to take place on March 27, the day after we launch this podcast.  After that, he may be able to share his story more freely.  In the meantime, I’ll be reading his jokes, enjoying his origami, and sending him young adult novel recommendations.

Igor Sushchin.

 

BOB:

Well, we don't know. 

 

ALIA:

He is the big unknown.  We don't have a clue what he's doing, we really didn't- we don't know a lot about him to begin with, but we definitely don't have a clue like what he’s doing right now.

 

BOB:

Right, he's the one who didn't have much footprint in the underworld to begin with.  It seems as if he's the career FSB professional.  And as far as we know, that continues.  This may or may not be the right time to call your attention to this, but something else that's been burning in my brain about the indictment, is two things: early on, it says these four people were indicted, and then it says persons known and unknown. 

 

ALIA:

Meaning there are other persons, they’re just- they’re not naming them.

 

BOB:

Yeah, and specifically known.  I mean unknown this is sort of catchall, in case there’s someone else, maybe kinda.  But they suggest in this indictment there are people known.  And later on, when they mention Sushchin, they mention FSB Officer 3, whose name is unknown.  Because I wonder if in this ‘where are they now’ thing, we might want to say ‘what about FSB Officer 3?’

 

ALIA:

I mean but yeah what about FSB Officer number 3?

So, that’s where the hackers ended up, known and unknown, but what was the reckoning for Yahoo?

 

JOHN THUNE:

The Yahoo breach we will discuss today compromised over 3 billion user accounts. 

 

SENATOR BILL NELSON:

Involving the personal identification information-

 

SENATOR JERRY MORAN:

Could they be safer if you did more?  Are you doing everything you can do?

 

MARISSA MAYER:

We did not predict a breach.

 

SENATOR JOHN THUNE:

-the entirety of Yahoo mail and other Yahoo owned accounts, at the time of the breach. 

 

ALIA:

Tell me about these senate hearings.  They took place not too long ago in late 2017.  Can we just take a step back for a second, like why do these Senate hearings even happen, what what is the purpose of them?

 

 

BOB:

I mean, often the purpose is just to haul an embarrassed executive into a situation where they have a photograph.  In ideal situations, you have a photograph of them swearing in, because that's the most embarrassing thing.  I don't believe that these they were sworn in for this hearing.  But it's- it's a dog and pony show of the highest order.  Marissa Mayer, by all accounts, performed very well.  It's a very very difficult circumstance.  She spent a lot of time apologizing, but there were no new answers offered.  And as far as we know, that is the last public chapter of the Yahoo hack.  She testified before Congress, after the integration of the company into Oath.  She was speaking basically as a private citizen at that point. 

 

ALIA:

Also, I want to point out that also at this hearing was someone from Verizon, Karen Zacharia.

 

SENATOR JERRY MORAN:

Is the probability of a breach less today at Yahoo than it was prior to your acquisition of the company?

 

KAREN ZACHARIA:

So again we don't calculate the probability of a breach, but what we do do is-

 

SENATOR JERRY MORAN:

Let me ask the question differently then, are are customers more secure today than they were prior to the breach?  Can a customer expect that it will have less expectation that their data is at risk than before the earlier breach? 

 

KAREN ZACHARIA:

What I can tell you Senator is that Verizon has always taken privacy- security very seriously, and we’re bringing this that same focus and that same intensity that we've always brought to protecting our customers and our network, to any new acquisition, including Yahoo. 

 

BOB:

In other words, no.

 

ALIA:

I thought that was so funny. 

 

BOB:

Yeah. 

 

ALIA:

So Bob, was there a real reckoning for Yahoo?  I mean, what's the reckoning for Yahoo here, what’s their ending?

 

BOB:

Yeah, it's a really tough question to answer, because it feels kind of like they got away with it, right, because poof Yahoo’s gone. 

 

ALIA:

Poof, you've married AOL and turned into Oath.

 

BOB:

They kinda married up, right? 

 

ALIA:

They totally married up, and into a much more secure Verizon.  The only real remaining consequences for Yahoo, RIP, are the $350 million reduction off their sale to Verizon, and the 40ish current lawsuits, most of whom are from shareholders. 

 

DENNIS:

Yahoo actually it turns out, I mean as we’ve been talking about this, they actually knew about the breach really early on and never notified.  

 

ALIA:

That’s Dennis Dayman again.

 

DENNIS:

And they probably should've started doing a lot more earlier notifications, versus just some one big notification.  Yeah, I get the excuse that you had to do a lot of research and whatnot, but you know at least put people on some sort of advisement that something happened.  We’ve see another company or two in the past who have said ‘we believe we’ve been breached.  We’re still doing an investigation on it, and as information comes available to us, we’ll let you know.’  And as it had, they would blog post or email and so most of the lawsuits are just people suing them, because they just were- they were lazy in notifying people about this.  And some of those class-action lawsuits do go around that they were lazy around their security technologies, the type of cookies and authentication technologies they were using, were a little bit outdated for what they were using.  And they should have known about that.

 

ALIA:

But it’s unclear if there's any real teeth in lawsuits like these, over poorly handled data breaches. 

 

DENNIS:

To be honest, outside of these lawsuits winning, I don't know exactly how anybody's going to be able to prove number one harm.  Because that's a big thing that we’ve seen in lawsuits is that ‘hey you know what these guys, they got breached and they had my information.’  And a lot of courts come back and say ‘okay, well fine, you gotta prove me the harm, while you’re asking for whatever amount of money.’  So I think that’s gonna be number one.  I hate to say it, but I think some corporations are kinda smiling at this going ‘yeah good luck with that.  Yeah, we were breached and whatnot and you know we’re sorry.’  But that's all they really have to do.  I think where it would really hurt, is if our government would step in a little bit further.  I mean the Federal Trade Commission has in in years past have levied tons of fines on companies, for doing the wrong things, and it would really take a fine from the government.  But at this point, with Verizon owning it, will the fine happen?  Probably not.  And to be honest, our government typically doesn't get into some of the major major fines.  I think we’re still probably several years away from seeing companies really truly being punished fined for their for their laziness in security and whatnot.  I don’t know, we’ll have to see what happens with it.

 

ALIA:

Okay, so, breaking news on that front.

 

BOB:

Hey, Alia, it’s Bob, and there was just a ruling in a California Federal court, by a judge who was hearing the Yahoo class-action lawsuit.

 

ALIA:

Verizon was trying to dismiss all of these claims of Yahoo’s negligence and breach of contract, but on Friday night, that’s March 11, Judge Lucy Koh ruled against Verizon.  Judge Koh writes: “Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System.”  According to Business Insider, the defendant, Yahoo, tried to dismiss the charges against them, saying they were up against ‘relentless criminal attacks.’  And the plaintiffs, 20/20 hindsight, did not cast doubt on its unending efforts to thwart constantly evolving security threats.  And then Judge Koh says plaintiffs could try to show that liability limits in Yahoo’s terms of service were “unconscionable,” given the allegations that Yahoo knew its security was deficient, but did little.  So, all of this means big tech giants might be a little more liable than they were before.  In this case, maybe not liable for protecting us better, but for at least telling us sooner than Yahoo did.

 

BOB:

So, to be continued.  Hopefully from a (reporting) standpoint, this means there will be more filings, and we might learn more.

 

ALIA:

I’m going to have to have my Google alert set for the outcome of this lawsuit.  Something tells me every other tech giant is too.

We’re gonna take a quick break to go acquire a tech startup.  Bob, do you think we can go figure out which one is the next Google?

 

BOB:

There is a gold rush in cyber security right now, so you’re- you’re in the right church if not on the right pew.

 

MEGS6492:

Dear Sir or Madam, 

Well done.  You’ve somehow weaseled your way into my digital life.  Let me save you some time, so you can move on to your next victim.  It all started with an AOL account.  I remember the day that CD came in the mail so vividly, and the one that came the next week, and the week after that.  They really went all-in on the direct mail.  I also remember the glorious sound the computer would make as I tied up the phone line, so no one could make any calls.  Oh nameless hacker, you may think you’ve cracked a secret code of my life with the numbers on that email address, Megs6492, but no, they were the completely random choice of an 11 year old, who just thought they sounded cool together.  No Social Security, zip code, telephone, or password digits.  But if for some reason you’re able to access the email archives anyway, please feel free to forward that chain letter on.  I’d hate to have seven years of bad luck.

Sincerely Yours,

Megs6492 of Carbonite

 

ALIA:

The timeline for my sort of involvement with this project goes like this: first we’re just doing a podcast about a big data breach, I'm learning about data breaches, I'm learning about hacking I'm learning about hackers.  And then I got a voicemail, that say goodbye from Yahoo, creepy Yahoo voicemail.  And then Spoke got hacked.  Then we get another indictment from Robert Mueller, and he indicts 13 Russians, and we learned that they’re digitally targeting civilians, which totally impacts our story, and is incredibly relevant to the story we’re telling.  

Another update to that timeline: a few days before this podcast was released, Bob received a notification that read: ‘We detected an unusual login attempt from St. Petersburg, Russia.

So, now I just feel like this story is so much bigger than I ever thought, and it matters so much more than I ever thought. 

 

BOB:

I mean, I have to be honest with you I write about this stuff all the time.  And when you guys contacted me and said you wanted to do a deep dive into the Yahoo hack, I said ‘huh, all right.’ I mean, it to me it was, you know I sort of live my life like little grenades are going off all the time, and an hour from now there might be another enormous hack that I have to drop everything and do a bunch of stories about, and so I had moved on from it, and I took my eye off the ball.  I was a bad journalist.  I didn't read the SEC filings after they came out.  The sexy part of the Yahoo story happened while we had all taken our eye off the ball and were looking on another way.  I am stunned at the depth of this story.  Every one of those little drip drip drip events from the timeline, would have been a story that dominated the news cycle for a day or two just a couple of years ago.  You know at one point in the middle of nowhere, Yahoo announces ‘Yeah it wasn’t a billion, it was 3 billion.  Yeah, and it wasn't like a few thousand emails, it was 32 million emails that were read.’   And you know I missed all of that.  So, I also will not stop thinking about it.  I hope that we keep going, because there will probably be another drip in this drip drip drip.  I want to know who FSB Agent 3 is, I want to know who the other persons known and unknown are, and I want to know what happens to Dokuchaev.

 

ALIA:

And I want to know what happens to Karim.  And I want to know what happens to Marissa Mayer, even though she's not really related to Yahoo anymore, I'm curious.  I also wonder about that 3 billion users worth of data that's still floating out there somewhere and hasn't surfaced. 

 

BOB:

Somebody has it, and then somebody will eventually use it for his own purpose, and we don't know.

 

ALIA:

I wonder.  I wonder what's next in Russia's playbook here.  I wonder if more Russians will get indicted. 

 

BOB:

And I wonder how does Donald Trump’s strange relationship with Russia even impact whether or not we ever see additional indictments in this crime. 

 

ALIA:

Well, breaking news if I look at my push notifications.  Thursday, March 15 at 9:33 AM, Trump admin announces new Russia Sanctions, it’s most significant response so far to election meddling.  Oh, and then, on March 20, Trump calls Putin to congratulate him on his election victory, so...

There are all these questions left over as to what happens next with the Yahoo hacks, and we know the consequences for some of the players in our story.  There's been penance for everyone not actively sheltered by Russia, A.K.A.  Karim.  There were major consequences for Yahoo, losing $350 million off their value, and also facing some lawsuits, whether they have teeth or not.  But my question is who makes restitution to the individuals, to Yahoo users, to me?  Who fixes this for the consumer ?

 

BOB:

One of the biggest problems with the design of the entire internet right now, and specifically with issues like security and privacy, is that there is no restitution for victims.  There is this tremendous cost shifting that has occurred, and no one has questioned it.  So, if the guy above you leaks water into your bar and your bar closes for two weeks, you sue them not just for the damage, you sue them for the loss of income to your business.  There is nothing in the consumer world that's parallel.  It's like a free gift to all of these corporations, because they know they can spend the currency of their users privacy infinitely, with no cost.  This breach shows that perhaps there will be costs associated with it, and we know that it cost Yahoo about $350 million, and there's a vague sense of loss of trust.  But for individual human beings, you can’t send the bill to anybody when this costs you money or time, or frustration, or blood pressure points, and that's really unfair.

 

ALIA:

So what you're saying is there is no restitution for me. 

 

BOB:

Not only is there no restitution, but I feel like the entire system is designed to take advantage of you.  Like this is a cost that you incur, that companies don’t incur.  I really think this is an economic issue, and that the only way that'll get solved, is that when something like Yahoo happens, and you suffer from anxiety, and it is something else you have to worry about, we put a price tag on that in other parts of life.  You know pain and suffering is a part of civil lawsuits.  There’s- there's no way to compensate victims of situations like this.  Companies involved get off Scot-free, they have no expense.  They have some legal expenses to go with this, and maybe they write a small check for credit monitoring or whatever, but in reality you're the one who bears the cost, and that's wrong.

 

ALIA:

What am I to do?  Because I can't opt out.  I can't opt out, and no one is going to be held responsible if and when my data is compromised.

 

BOB:

Some people might say that you're the commodity, which is brutal enough.

 

ALIA:

That sounds awful. 

 

BOB:

But I would say, at least you pay something for commodities.  This is somebody using a natural resource, not paying anything for it, and the consequences of that hit us every day. 

 

ALIA:

The natural resource of our data, our privacy, our security, being drained daily, with no way for us to protect it.  When I got my goodbye from Yahoo voicemail, it felt like a weird creepy coincidence.  But it also felt like too big a lead to claim there was some kind of hacking conspiracy afoot, someone rooting around my Yahoo account for my personal data.  But the more we look at the Yahoo breach, the more it seems like my voicemail was just a tiny drop in the bucket of a much larger faulty system, designed around keeping my data vulnerable.  Voicemail or not, my info has been available to anyone who wants it. 

I feel like this is so important, and I feel like we’re getting played, and I feel like it's going to mean a really dark future for us if if we don't do something and if we don't start speaking up as consumers.  I'm really afraid.  I'm really afraid.  That’s how I'm feeling right now. 

 

BOB:

I mean I do think we have allowed companies to build these massive systems, designed to play us, and then we act surprised when it they’re used by a nationstate against us.  We shouldn't be. 

 

ALIA:

The larger conspiracy was the illusion that I even had privacy to begin with.  So Bob, what can we do?

 

BOB:

Way back at the beginning of when we you and I started talking, we had the caution falling rocks conversation, which I just revisited in my head.  And and you essentially challenged me to say ‘Bob don't do this caution falling rocks thing with me.’ and we are in grave danger of doing that right now.  If you're asking me for you know three ways to secure your identity, I can't give them.  But I do think that there are some things that we need to do, and I'm going to end with a story about kindergarten to give us all a brief moment of hope.  But before I get to the kindergarten story, let me just say that there are specific instances where consumers with loud voices have pushed back and have made changes.  So Facebook has encountered this several times, where there were things that Facebook did that seemed to cross a line for consumers, and they yelled, and Facebook relented.

 

ALIA:

So what should we as consumers be demanding?

 

BOB:

I am one who believes that there should be strict Federal rules around things like expiration dates for data.  So, one of the biggest problems we have is that most programmers are pack rats.  And European privacy rules offer this.  When data is collected, it should only be used for the purpose for which it was collected, and then discarded.  So, when you go through an E-Zpass tollbooth, E-Zpass people should take their money, and then they should erase the record of it.  They don't need it for anything else.  But instead, E-Zpass could now put on a map all the places I've driven for the past four and a half years.  Why do they need that?  We don't know, but they have it, and that increases my attack footprint.  So, I'm one who believes in this idea of data expiration fo- just as an example.  I'm also one who believes that that this is an economic problem at core, and one one way to fix it would be: it's a broken market that needs needs to be addressed, so people should earn money when their data is used to earn money.  You should be a partner in the sale of your personal information.  That would do a lot of things, that would make you much more aware of what was happening, and that would make companies only use it when it made a lot of sense to them.  It would take a long way to get there, but we need to start having these kinds of conversations, and we need Federal rules that give people more power over their information. 

 

 

ALIA:

And now Bob, can you please take us to kindergarten? 

 

BOB:

And now, I want to- want to tell my kindergarten story.  When I wrote my identity theft book, a co- a reporter who I worked with, a colleague, brought in for me a piece of paper that was a cute little drawing that her kid had done in kindergarten.  And it was- I don't even remember what the drawing was, I'm sure it was her and her dog or something like that in crayon, very adorable.  And I looked at it and I was like ‘ah thanks , why does this help me with my book?’  And and she said turn it over.  So I turned the piece of paper over, and it's a medical form from a doctor's office, with information on a patient and all of their prescriptions that that they had been issued from the prior visit or whatnot.  Then I said ‘oh, I know why this is related, what am I looking at here?’  And she said ‘well, this school like many schools has this massive drive to recycle.  And so they're working really really hard you know to not have their kids waste paper on their art projects.  So you're looking at recycled paper.  Unfortunately, the recycled paper was people's private information.’  And I tell that story, because obviously a very well-intentioned school made a mistake.  But also, it took decades for America to get away from the idea that we could just throw pieces of paper on the ground, and instead we should at a bare minimum put them in the trash.  And then we went from there to this massive system where now we don't just take out the trash, we throw bottles in different bins, and it's all a big huge pain in the ass, right.  But we do it, because we want to save the planet, and it's the right thing to do.  It's a lot of extra work, and it took a lot of time and a lot of structure.  That's exactly what we have to do with data.  We have to have that kind of a decades-long movement where we have a brand-new respect for how hard it is to keep this stuff safe, and how important it is.  And it's going to stink, it’s gonna be expensive, and we’re going to do it anyway, because we care about the planet, and we care about ourselves.

 

ALIA:

And now I am wondering why is that not being talked about all the time?  Why is that not a matter that comes up just as often as the future of our planet, global warming, all of these these things that we’re constantly talking about?  It’s the future, right, like the future is at stake. 

 

BOB:

Unless people, corporations, and the government, see this issue with the same extreme gravity as huge social issues like the environment, like the interstate highway system, like the Cold War, unless people take this issue that seriously, I think we have a pretty dark future ahead.  We live in a time where there's an opportunity to make that hard right turn and realize this issue is as important as those, and it's going to take every one of those stakeholders to get involved, but it has to be that big an issue, or else we are gonna keep going down this path.

 

ALIA:

So, we’re at this turning point.  I mean, this is a really pivotal time. 

 

BOB:

Yahoo, Tumblr, Equifax, Evernote, Uber, United States Department of Defense, Apple, United States Army, Bank of America, United States Department of Veterans Affairs, Deloitte, Department of Homeland Security, Starbucks, Fidelity National Information Services, AT&T, Gmail, Citigroup, Barnes & Noble, Hyatt Hotels, AOL, Compass Bank, Emory Healthcare, Steam, Nintendo, Home Depot, Stanford University, Snapchat, 21st Century Oncology, Wendy's, Hilton Hotels, Zappos, Global Payments, J.P.  Morgan Chase, Neiman Marcus, Hewlett-Packard, Mozilla, CVS, UPS, eBay, Target, Medicaid, Slack, Anthem, Adobe Systems, LinkedIn, Scott Trade, Twitter, Trump Hotels, Walmart, the State of Texas, monster.com, TD Ameritrade, the IRS, TD Bank, Dropbox, Sony Pictures

 

ALIA:

With the number of breached companies growing every day, we’re in a situation kind of like Yahoo was near the end.  The question of ‘have I been hacked,’ is long gone.  Now, it's about how to respond to a hack, how to recover what we can, how to proceed with caution, how to advocate for new policies that protect what matters.  The question isn't ‘have I been hacked.’  The question is ‘how will I respond now that I know I've been hacked, or I'm going to be hacked.’  So, what are you gonna do?

 

ALIA CREDITS:

Breach is a branded podcast, brought to you by Carbonite, in partnership with Midroll and Spoke Media.  

 

You can find transcripts and show notes at carbonite.com/breach. 

If you like what you’re hearing, leave us a review.  Reviews are how people will find us, and learn to change their passwords immediately.  

 

If cybersecurity reporting was vampire slaying, Bob Sullivan would be Xander, Willow, and Buffy.  Our show is produced by Alia Tavakolian - that's me - and Janielle Kastner, with associate producers Stephen Gardner and Carson McCain.  When Bob and I are in the studio, we’re recorded by Jared O'Connell.  Our  show is mixed and sound designed by Mark Moncrieff.  The songs you hear come from APM music.  Our executive producers are Alex DiPalma and Keith Reynolds, who admits to not being the most tech savvy person in the world, but wants everyone to know he’s only 34.  Special thanks to Megan Wittenberger at Carbonite, all of our experts, Katie Moussouris, Art Lucchesi, Ben Johnson of Obsidian Security, Gavin Hales at Abertay University, Kelly Lum and Damon McCoy at NYU’s Tandon School of Engineering, Michael Isikoff, Dennis Dayman, Karl Greenberg, Amy Knight, Nicholas Carlson, Nicole Perlroth, Andrei Soldatov, Harri Hursti, Alathea Hensley and McKenzie Newman, Brooks Egerton, Chris Brown and James Range at White Rock Security, and super special thanks to Brandon, Kris, Preston, Jennifer, and Kostya for bearing with us these last few months.

What happened to the men with Russian ties indicted in the Yahoo data breach? One is possibly being protected by the Russian government, while another awaits sentencing. And another is in a Russian prison facing charges of treason.

 

What are the consequences for Yahoo executives and other tech firms who oversee networks and private data? Marissa Mayer and other tech executives testified before the U.S. Senate on the matter—but don't expect any fines to be levied soon.

 

One more question: Will consumers get an opportunity to sue for restitution? In the Breach season one finale, we examine the aftermath of the Yahoo hack, discussing what it means for our personal privacy, our corporate business practices and our democracy.