Yahoo (YHOO) today confirmed that information from at least 500 million user accounts was stolen in 2014, by what it is calling a “state-sponsored actor.” This could create a problem for the company’s recent agreement to be acquired by Verizon for $4.8 billion.
The Verizon-Yahoo merger documents include fairly standard material breach language, which basically means that Verizon cannot bail on the deal because of changes in external factors like global political conditions, or, say, a terrorist attack. It also cannot terminate because Yahoo misses financial projections (either internal or external).
Verizon (VZ) could, however, claim a material breach for something like this data hack, by arguing that the event has caused irreparable harm to Yahoo in terms of customer trust and usage. Nonetheless, it would be very tough sledding to get a Delaware court to agree a so-called material adverse event had occurred, particularly given that evidence of reduced usage and related revenue declines, for example, would not be immediately available for quite some time. But it is theoretically possible. Verizon also could use the threat of such a claim to renegotiate its original agreement.
(Related: What You Should Do After the Verizon Hack)
A larger threat to the deal, however, relates to what Yahoo knew and when it knew it. Check out this paragraph from the Verizon-Yahoo merger agreement, dated July 23, 2016:
To the Knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller’s or the Business Subsidiaries’ possession, or other confidential data owned by Seller or the Business Subsidiaries (or provided to Seller or the Business Subsidiaries by their customers) in Seller’s or the Business Subsidiaries’ possession, in each case (i) and (ii) that could reasonably be expected to have a Business Material Adverse Effect.
The first possible public reports of this breach didn’t come out until a week after the Verizon deal was announced, via a Motherboard post claiming that a hacker was “advertising 200 million of alleged Yahoo user credentials on the dark web.” Yahoo did tell Motherboard that it was “aware” of the claims, but neither confirmed nor denied their legitimacy.
One other possibility, of course, is that the hack reported by Motherboard is different than what Yahoo today is confirming. The company has not given specifics yet on that.
As for Verizon, the telecom giant says that Yahoo only informed it of the breach within the past two days (i.e., not before the merger agreement was signed). That means, in order to have not breached its warranties and representations to Verizon, Yahoo either: (a) Must have first learned of the 500 million account hack after July 23, but before August 1; or (b) This is a different hack than the one reported by Motherboard.
In a statement, Verizon only would say that it “will evaluate as the investigation continues.”
UPDATE: Yahoo has issued a statement saying that it “has never had reason to believe that there is any connection between the security issue disclosed yesterday and the claims publicized about a hacker in August 2016. Confusing the two events is inaccurate.” Yahoo has declined, however, to say when it first learned of the hack.
