Now, just a few days after Verizon learned of the breach, it is contending with the ramifications of what is believed to be the largest hack of a single company. Even as Verizon tries to assess the damage at Yahoo and prevent further security intrusions, the scope of the hack and the potential fallout â including the possibility of a costly class-action lawsuit â is inevitably prompting renewed scrutiny of a deal that was intended to transform the telecom behemoth into a digital media powerhouse.
Simple tips to follow if you think your personal information online has been exposed to hackers.
For now, Verizon has given no indication of whether the breach will affect its plans to acquire Yahoo. On Friday, the company declined to provide a comment beyond a statement it issued on Thursday, in which it said it would evaluate the situation âas the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.â
Yahoo declined to provide further comment on Friday.
The effort is complicated because the sales proceedings between Verizon and Yahoo are at an early stage. Though teams from the two companies were already working together on integration plans, Verizon does not yet own Yahoo. As a result, Verizon does not have direct access to the Silicon Valley companyâs servers to conduct its own investigation.
In late July, after the Verizon deal was announced, Yahoo became aware of a claim that about 280 million of its user credentials had been hacked, according to a person briefed on the specifics, who spoke on the condition of anonymity. Yahoo started an investigation but could not substantiate the claim, this person said. It was not clear on Friday whether Yahoo had made Verizon aware that it was looking into this claim in July.
During the course of that investigation, Yahoo learned of the more severe breach, which it has said it believes was state-sponsored. Yahoo has not yet said exactly when it realized how large the intrusion was, leaving open the question of whether Ms. Mayer and her team waited to notify Verizon of the hack. Yahoo is now working with outside security consultants on the matter, and said its investigation was continuing.
Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.
âThey could say, âThis thing is huge. We want to walk away from the transaction,ââ he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.
Such claims can be difficult to prove in court. According to Mr. Quinnâs reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information.
In the merger agreement, Yahoo states that âthere have not been any incidents of, or third-party claims allegingâ security breaches or thefts of user data that might result in a major change to the value of the company.
More likely, Mr. Quinn said, Verizon could pressure Yahoo to renegotiate the terms of the deal.
âThey go to court, or threaten to go to court, and renegotiate the price,â he said. âThat can be a very winning strategy.â
Find out which parts of your identity may have been stolen in major hacking attacks over the last three years.
OPEN Interactive Graphic
Like any big company contemplating an acquisition, Verizon performed due diligence on Yahoo before it agreed to the deal. It was not immediately clear, however, how seriously it took security issues during that process.
But Verizon would have known that Yahoo has a history of breaches. In 2012, Yahoo said that more than 450,000 user accounts had been hacked.
Such issues are increasingly pertinent to mergers and acquisitions. In a 2014 report, lawyers from Freshfields Bruckhaus Deringer wrote that corporate buyers were still not taking security due diligence seriously enough.
âWith this concerted action and a series of high-profile strikes on businesses including eBay, Target and Yahoo, the risks of cyberattack are evident,â they wrote.
âYet as the global economy recovers and deal activity rises,â the report continues, âincreasing awareness of cyber-risk has not resulted in meaningful changesâ to the mergers and acquisition process.
Verizon is purchasing Yahoo in the hope that the internet portal will make it a major player in the digital media business, positioning the company to compete with Google and Facebook for ad dollars. The biggest wireless carrier in the United States, with roots going back to the first telephone call in history, Verizon is facing declining revenue and is looking to Silicon Valley for growth.
Those motivations are unlikely to have changed in the course of two months. But it remains unclear whether this new information has made Yahoo a less desirable acquisition target.
Some of Verizonâs executives have indicated they may be up to the challenge of a big hack. In a recent talk at Penn State University, Ms. McMahon, the telecom companyâs chief information security officer, suggested that she relished the cat-and-mouse game between hackers and companies.
âI love security,â she said. âI love the offense and the defense of it. The bad guys are innovating just as much as the good guys in terms of their defense. Our job as defenders is to see all that.â