In the year of 1994, Stanford University graduates, Jerry Yang and David Filo dabbled in a hobby of their own by compiling a directory of about 2,000 websites. This hobby soon turned into a full-time project as their guide to the World Wide Web garnered more than 50,000 hits a day (McCollough, 2015). What started off as “Jerry and David’s Guide to the World Wide Web”, a companion to direct new users to around the uncharted shores of the Internet, transformed into one of the most successful and groundbreaking Internet businesses of all time – a web services provider renamed as “Yahoo!” (an acronym for Yet Another Hierarchically Officious Oracle). It has since become an expansive conglomerate for technology and advertising-focused businesses.
It is a widely known fact that in the 1990s, Yahoo began to rise in fame with its web search engine which served as a starting point for even the least tech-savvy Internet users in order to be redirected to various websites. The Yahoo! Directory helped users navigate their way through the Internet with its organised tiers of subject titles (McCollough, 2015). For example, if a user wanted to look up and do research on something related to the human body, they would need to follow the path on the directory: Science → Biology → The Human Body → Organs. Before technical search engines came to be, where keywords were typed in and websites could be navigated in an instance, Yahoo! Directory was the go-to for many users despite its tedious method of manually clicking through various generic terms/headings before finding a suitable website. However, in recent years, this has proved to be one of the main causes for Yahoo! Directory’s downfall. The exponential technological advancements in the recent years have provided users with a much faster, hassle-free and accurate method of accessing information such as Google and Bing. As a result, after 20 years of service, Yahoo finally closed its directory service in 2014.
As time progressed, Yahoo launched several new services such as Yahoo! Mail, Yahoo! News, Yahoo! Answers and many more, which helped to sustain the enormous website traffic that Yahoo has amassed throughout its years of operation since 1994. Besides having its own brand of services, Yahoo also owns subsidiaries such as Tumblr and Flickr – a social media website and a photo/video-sharing application respectively (Cassell, 2015).
Introduction to Yahoo’s Hacking Crisis
Yahoo has been subjected to multiple data breaches over the years that have jeopardized the safety of their millions of users. Despite the fact that these data breaches have occurred more than once, Yahoo failed to disclose this vital piece of information with the public. The first time Yahoo disclosed a breach was in September of 2014 when almost 500 million Yahoo user accounts were hacked (‘Email hack’, 2016).
Yahoo then revealed in December of 2014 that there was another breach that had occurred earlier in 2013. This breach was of a much larger scale where one billion accounts were affected, according to Yahoo (Goel & Perlroth, 2016). The effects of the disclosure of this breach was what forced Yahoo into going through with Verizon buying over Yahoo’s core assets for $4.48 billion. This buyout offer was almost ten times lower than Microsoft’s bid to buyout Yahoo in 2008 (‘Identity crisis’, 2016) .
However, the information about the disclosure regarding the 2013 breach was found to be untrue when Verizon Communications Inc. revealed that a whopping three billion Yahoo accounts were affected by the 2013 data breach. In light of this, Yahoo suffered a loss of $350 million as compared to their original offer by Verizon (Mullen & Fiegerman, 2017).
The hack occurred with a spear-phishing email sent to a Yahoo employee. With the spear-phishing email, the Russian hackers were able to navigate their way through the company’s network and access Yahoo’s user database alongside the Account Management Tool, which is used to edit said database (Williams, 2017). This cyber attack involved information ranging from names and telephone numbers to encrypted security questions that could be used to change passwords (Goel & Perlroth, 2016).
Requisite Variety
In 2013, Yahoo launched a project that promised better security of users’ passwords and information – a security that would abandon an encryption algorithm known as MD5. The MD5 is a hashing function that helps to store passwords and checks whether the password is correct without storing it in the network. As such, the hash of the password that you use must be the same as the one that matches the hash in the network.
However, despite its advantages, MD5 has been known to be easily decrypted by security experts. Five years before Yahoo launched its security project, a warning was made public to security experts about how MD5 is unsuitable and even discouraged from being used as a security measure to protect databases. Although Yahoo has announced that no passwords have been leaked out, Stockley (2016) explained that a hacker could obtain its database of password hashes and easily decrypt with a program that guesses what the passwords contain until it correctly matches with what has been stored in the former.
This brings about the concept of requisite variety whereby organisations are faced with the challenge of being able to adapt to the environment that they are placed in (Miller, 2012). The organisation would have to recognise, understand and apply relevant solutions to the problems that they face or else they would be deemed unfit to survive in the face of conflict.
In the circumstances of Yahoo’s data theft, whether it be unfortunate timing or lacklustre decisions being made, the company’s failure to adopt a better security measure than MD5 has costed them their users’ trust in their capabilities. If Yahoo were able to adopt requisite variety by employing stronger hashing technology or security designs, it would have been more difficult for their databases to be hacked which would in turn, minimise the impact of the attack (Villas-Boas, 2017).
Despite Yahoo’s groundbreaking beginnings, the company has grown to be notorious because of its hacking breaches in the past few years. As such, the team would be analysing Yahoo’s organisational crisis by applying communication concepts to understand the entirety of the problem.
PART II: Analysis of the Problem
Introduction to Analysis of the Problem
This section explores the three communication concepts on the Yahoo hacking crisis which consists of the ineffective withhold and uphold strategy, management involved in groupthink and the adoption of Theory X management style.
Parties Involved In The Hacking Crisis
Yahoo’s massive data breach crisis is no doubt one of the biggest data breaches in history with over half a billion Yahoo users affected. The crisis evolved around the several Yahoo hacking incidents that threatened the cyber security of three billion Yahoo users in 2013 and 500 million victims in 2014 as mentioned in the above section. The stolen information consisted of the usernames, passwords, phone numbers, answers to security questions, birthdates and backup email addresses (Robertson, 2016). While Yahoo has reassured its users that most of the stolen passwords were difficult to decrypt, the cyber safety of the victims has been compromised as their stolen email addresses could potentially be targeted with spam attacks and other methods could be used to manipulate them into revealing more personal information (Kan, 2016). The victims of the severe attack not only include regular users but the US governm
ent and military employees whose data has been comprom
ised. Robertson and Jordan (2016) highlighted that the hackers have access to the government employees’ personal and official government accounts and foreign spies could easily get ahold of the accounts to target which threatens national security.
After the investigation of Yahoo’s data breaches, in March 2017, the FBI revealed that they have charged four people including two Russian Intelligence Agents, Dmitry Dokuchaev and Igor Sushchin for their involvement in the massive Yahoo hack (Williams, 2017). After confirming the 2014 data hack, Yahoo blamed the attack on a state sponsored group based on evidence that the company was under target for a while. According to Williams (2017), the group that planned the attack was the Russian Federal Security Service (FSB) where the two Russian agents paid two other criminal hackers to break into Yahoo’s system and targeted the Yahoo accounts of the Russian and US government officials. The FSB’s main motive was to steal information that had intelligence value while the criminal hackers attacked regular users’ accounts to steal data for their own financial profits. The FBI explained that the hackers managed to get access to Yahoo’s user database and the Account Management Tool which allowed them to determine their targets.
Implications
Yahoo’s second disclosure caused its market value to plunge by six percent and affected the sale of Yahoo to Verizon Sale. Based on the severity of the situation, Verizon demanded for a $925 million discount from its agreed upon purchase price. It was only after negotiation that Verizon agreed to only a $350 million discount, still a huge drop in worth for Yahoo (Owusu, 2017). Following the several hacking attacks, Yahoo and its executives had to bear with the hefty financial burden and the crisis’ consequences. Yahoo disclosed that they had spent $16 million towards their cyber incidents, of which $5 million related to forensic investigation and remediation activities, and $11 million went towards legal costs.
In addition, Yahoo faces investigations from five state and federal agencies, including the SEC, FTC, US Attorney’s Office for the Southern District of New York, and two State Attorneys General on top of the class action lawsuits previously mentioned (Coleman, 2017). In light of Yahoo’s executives accepting the consequences, Yahoo’s former chief executive, Marissa Mayer, gave up her 2016 cash bonus following the incident and the company’s top lawyer, Ronald Bell, resigned in the wake of the hack and the other breaches. Some 43 consumer class-action lawsuits have been filed against the company, Yahoo said in a May filing with the Securities and Exchange Commission (Rushe, 2017). This could result in a huge setback for Yahoo as their lack of cyber security is a huge threat to brand reputation and trust with its customers that were established over the years will be damaged.
Three Communication Concepts
A review of various sources has led to three main ideas that contributed to Yahoo’s data breach crisis. The first key idea is Yahoo’s management practiced the ineffective strategy of withhold and uphold of information from their stakeholders. The secondary main idea is that Yahoo’s management and employees were involved in groupthink on how to deal with the crisis that took place. The concern for group conformity and harmony resulted in the poor decision making of not revealing the data breaches until much later. Lastly, the third key aspect is that Yahoo’s management practiced Theory X management style where higher management were more involved in the hacking crisis while the lower level employees were not as involved.
Withhold and Uphold Strategy
The first main idea points to the management strategy that Yahoo’s management had adopted to communicate with their stakeholders consisting of their customers, Verizon and the legal committee. According to Miller (2015), Clampitt, Dekoch and Cashman organized seven managerial strategies for communicating about change (Organizational Strategies, p. 181). After reviewing Yahoo’s use of managerial strategies during the crisis and post-crisis, it was concluded that the company implemented the withhold and uphold method which was determined as the least effective strategy (Miller, 2015). The description of the withhold and uphold strategy is that the top management concealed information from their employees and maintains the party line even when their employees challenge them with questions. In this light, Yahoo’s management withheld the information about their multiple data breaches from their stakeholders and employees during the crisis stages.
Yahoo was not transparent about the series of hacking events that occurred throughout the past few years not only to the public, but to many of their own employees within the company as well. In September 2016, Yahoo disclosed the hacking incident that took place in 2014 which affected more than 500 million Yahoo users as their personal account information were stolen during the breach (Kerner, 2017). Their disclosure of the major online hack took about two years which came as a surprise to many that they did not investigate this breach earlier. According to Ponemon Institute, an institute that tracks data breaches, highlighted that the average duration an organisation takes to detect an attack is around six months and the estimated time to control the breach is around two months after discovery (Information Management Journal, 2017).
Upon finding out about the data breach in 2014, an independent committee was set up to launch an official investigation into this issue (Kuchler, 2016). Apart from the management and the employees within the independent committee, other employees of the company were not aware of the data breach and network intrusion in 2014 (Hackett, 2016). This shows that the management had the intent to cover up from its employees, which also explains how such a massive data breach could be kept under wraps from the public for more than two years. This shows that Yahoo had adopted the withhold and uphold strategy and withheld the data breach information from their stakeholders for two years since the attack.
While Yahoo has officially confirmed and admitted to their several data breach incidents, they continue to contain other important information from their stakeholders even after the disclosure. Curran (2017) highlighted that during a September 2016 Senator committee briefing conference, Yahoo’s representatives did not attempt to provide any information beyond what is publicly disclosed on the nature of the breaches and the measures they have implemented to mitigate the effects despite committing to do so. As the Senate Republican leaders had concerns that Yahoo was not completely truthful when briefing them on the hacks, they had written a letter to Yahoo’s then Chief Executive Officer Marissa Mayer in request for a response to their concerns regarding the two big data breaches. It was then reported that in December 2016, Yahoo had pledged to inform the committee but unexpectedly annulled the conference just days before it was arranged to take place on January 31 (Curran, 2017). In addition to Yahoo repeatedly withholding information from the Congress, their sudden decision to cancel the January 31 briefing raised doubts about the company’s willingness to be honest and transparent when working with the committee. Hence, Yahoo’s several attempts to avoid sharing additional information of the attacks and their future plans with the Senators committee supports the idea that they mainly use the withhold and uphold strategy.
Groupthink
Groupthink is the practice of thinking and making decisions as a group, which usually results in poorly-made decisions as possibilities were not explored for the best but centered around what the g
roup thinks in order to preserve harmo
ny (Miller, 2015).
Yahoo has shown to have established a culture of groupthink for a long time, even before the hacking crisis occured. This is especially evident during CEO Marissa Mayer’s leadership which portrays her as a strongly opinionated and close-minded individual, making most of the decisions within the board and receiving little opposition. Mayer is often described to be disregarding opposing views to her own, undermin
How the company dealt with the crisis after it happened also affected Yahoo adversely when they failed to make the decision to disclose the matter but instead agreed to avoid the issue and to cover up the damage done. There was a collective consensus by members that the hacking case should not be revealed when it happened, which led to it only being disclosed years after it happened. There were frequent changes in leadership of its security team and the company wide stress of finding a buyer which could have led to the delay in disclosing the hacks (Ye, Y.). This is especially so because new leaders might find it harder to bring up differing opinions from the group, especially if they are major ones, and make “easier” decisions even if it is against their better judgements.
Traces of groupthink within Yahoo itself were also evident. There were internal sources at Yahoo who revealed that there were previous incidents not managed swiftly by the CEO of Yahoo and even when urged to take a stronger stance on matters, was not successful and effective at doing so (Swisher & Wagner, 2016). This suggests that there were people within the company who felt that things were not managed well but was not able to act on the concern because of the overriding power and pressure that the group of decision-makers at Yahoo had on dissidents. The leaders were largely reliant on their self-appointed mindguards while the members themselves had direct pressure on dissidents, choosing to go along with the decisions being made in the company instead of voicing out their doubts.
Theory X
Yahoo has also seemingly used the approach of Theory X in its management where the higher management were the ones more largely involved in the hacking incidents and little were revealed to the members, nor were they involved in the problem-solving process. Theory X argues that people are people are not motivated by nature and the management is responsible for organising and managing money, material and people for economic ends, that people are passive and resistant to the achievement of organisational needs without intervention (Miller, 2015).
One of the ways in which Yahoo’s Theory X management style is evident could be seen from the ban that Yahoo has placed on their workers working from home, believing that working in the office would be more productive for the workers (Gapper, 2013). This centralised style of management, monitoring and surveillance on workers, and undermining of employees’ abilities also affected Yahoo during their hacking crisis. Although the crisis was huge, limited information was released to the public and the management took care of everything, deciding to cover up the whole incident only until years later, believing that disclosing it would be a huge loss for the company, as it proved to be later during the sale to Verizon (Owusu, 2017).
PART III: Suggestions for the Organization
As discussed in the above sections, Yahoo faced a major organizational crisis when it’s servers were hacked, resulting in data breach, compromising the privacies of many users. However, Yahoo’s crisis was kept under wraps for almost two years. When the data breach incident came to light, their reputation suffered a huge blow, resulting in many other implications as well (as mentioned in part two). While the objective of this section of the paper aims to uncover more effective solutions that Yahoo could have utilized to remedy the crisis, additional successful crisis management examples carried out by other organizations will also be further examined below. This is essential in discovering key learning points that could ultimately be applied by Yahoo.
Examples of successful crisis management
Domino’s
Domino’s was caught in a crisis after a video of two of its employees contaminating the ingredients used in the sandwiches and pizzas before serving it to their customers was uploaded on Youtube (Clifford, 2009). Within a short period of time, the video received much attention — more than half a million views in two days, and Domino’s was hit with a series of backlash and criticisms (Park, Cha, Kim & Jeong, 2012). While Domino’s was slow to detect the video in the beginning, it reacted quickly and decisively after being informed of the video. The Chief Executive Officer (CEO) of Domino’s, Patrick Doyle, uploaded an apology video which addressed the crisis directly on social media, providing an update on the responses taken by the company to rectify the issue as well — an approach that was not done by any other organization then (Veil, Sellnow & Petrun, 2012). The video was then shared extensively, and successfully managed to curb the criticisms and hate towards the company, which gradually brought the organization back on track.
Leon Lai
Cantopop singer, Leon Lai, took a similar approach by responding directly to the crisis on social media, after his first out of the scheduled six concerts in Hong Kong was forced to be cancelled due to fire safety issues (Cheng, 2016). Despite leaving fans disappointed, Leon managed to escape this crisis unscathed. Upon knowing that the permit for his venue was not approved on the day of the concert, Leon took to social media to inform his fans of the issue immediately together with an apology video (Cheung, 2016). Following that video, Leon continued to upload a string of videos to provide fans with timely updates on what was going to happen, and what were the approaches taken by his team to rectify the issue to ensure that his subsequent concerts could go as planned (Cheung, 2016). Instead of being criticised, Leon was praised by both fans and the media on the way he handled the crisis, showing how a crisis can be turned into an opportunity.
Suggestions
Organization Crisis
Yahoo’s situation was similar to the two examples listed as above. However, what was different of Yahoo from Domino’s as well as Leon Lai was the way the crisis was handled. As such, the organizational crisis concept as discussed in the Organizational Communication: Approaches and processes would be utilized in the first suggestion, using the case studies from Domino’s and Leon Lai as learning points.
Pre-Crisis Stage
Organization members should work to prepare for a possible crisis that may occur. An organizational crisis, as defined by Bundy, Pfarrer, Short and Coombs (2017), is an event perceived by organizational members as pertinent and unanticipated, which poses a threat to an organization’s goals and also affects the organization’s relationships with its stakeholders.
As an company that specializes in web services which holds many personal information of their users, Yahoo should have foreseen issues of data breach coming their way, as other major organizations such as Sony and Verisign had also previously been plagued by data breach issues. As such, there should be a crisis support team that had already been set up before any cyber security breach, ready to tackle on data breach when it comes in their way. The public relations or communications team within the department should also be ready to deal with the backlash from users and media, and be prepared with solutions to answer to the the public.
Crisis Stage
During this phase, the event that threate
ns the survival of the organization has occurred, and in t
he meantime, amongst all the confusion and uncertainty, both people within and outside of the organization will attempt to make sense of what has happened (Miller, 2015).
When the data breach has occurred, Yahoo should have immediately informed its users about this issue, as seen in the case study of Leon Lai. After all, the personal information of three billions were compromised and stolen, and as such, the public has the right to know. One of the major mistakes made by Yahoo was to keep silent about the whole issue for more than two years. Hence, when news of the data breach by Yahoo broke out, it did not go well with both the public and the media. Their credibility and reputation went crumbling down. It also goes to show that they tried to bury the whole issue altogether, with no intention of taking responsibility for what has happened, unlike Domino’s and Leon Lai, who both demonstrated genuine regret towards the crisis that occurred to them, and also displayed their willingness to shoulder responsibility, which in turn, was well received by the public.
Post-crisis
The main purpose of this stage would be focusing on determining responsibility and to establish systems to handle such crisis in the future (Miller, 2015). At this phase, once the breach has been contained and solved, there are several key issues to be addressed. Once of which would be determining the main cause of the data breach. With this information, Yahoo should improve their security to prevent and protect themselves from another cyber security attack in the future. Even with improved security, Yahoo should not let their guard down and have a crisis support team ready to deal with a possible data breach.
Cognitive Model of Participative Decision-Making
As mentioned in section two of this paper, one of the strategies that were utilized by the Yahoo management was ‘Withhold and Uphold’— where the management would keep information away from their employees, and when confronted with questions and rumours, they would uphold the party line (Miller, 2015). Apart from the management and those who were in the independent committee board, most of the other organizational members of the company were not aware of the data breach.
However, in the concept of Cognitive Model of Participative Decision Making, it was stated that when organizational employees are given opportunities to participate in the decision-making of the organization, decisions would be made with higher quality information (Miller, 2015). According to Kim (2002), employees’ participation in decision-making often leads to organization effectiveness. As such, during the decision-making process, there is both an upward and downward flow of information between the management and the employees, and since employees are the ones doing the job, they would have a better understanding on how it is best to accomplish the task (Miller, 2015). Likewise, in this situation where Yahoo was suffering from a major data breach, if the employees were made known to this crisis earlier and encouraged to step forward with any solutions they had in mind, the crisis could have been contained earlier and even be resolved quicker. Well-informed and engaged employees with a clear understanding of the crisis and their roles within it could be powerful assets to help the organization at a time in need. To ensure that participative decision-making is made possible within the organization, Yahoo should commit to moving its organizational culture forward from the traditional ways of hierarchical structure, giving employees more opportunities to actively participate in the decision-making process of the organization (Kim, 2002).
Framing
According to Miller (2015), framing is “a way of managing meaning” whereby one or more parts of the subject are chosen and focussed upon over other parts.
Based on a study conducted by Clayes and Cauberghe (2014), the framing of information by an organization has an effect on the public’s perception and evaluation of organizational messages, resulting in the particular response towards an organizational crisis. Another study by Kim and Cameron (2011) has also shown that corporate messages with emphasis on the relief and well-being of crisis victims have the tendency to improve the public’s perception of the organization’s credibility. As such, in this case of data breach for Yahoo, they can craft their messages to the public in a such way to show that decisions are made with the victims, in this case, Yahoo’s users’, in mind. One method would be stating that they value in protecting the privacies and personal informations of their users, and will commit their resources to the investigation of the issue and also to the upgrading of their security walls to prevent further infiltration. Messages, are framed to consider the perspective of their users, which showcases their commitment to serve their consumers and also their willingness to shoulder responsibility.