Kshitiz Kapoor (19212090) : CA640 Professional and Research Practice: Ethics Essay
Kshitiz Kapoor (19212090) : CA640 Professional and Research Practice: Ethics Essay
Declaration
An essay submitted to Dublin City University, School of Computing for module CA640
Professional and Research Practice, 2019/2020. I understand that the University regards
breaches of academic integrity and plagiarism as grave and serious. I have read and
understood the DCU Academic Integrity and Plagiarism Policy. I accept the penalties that
may be imposed should I engage in practice or practices that breach this policy. I have
identified and included the source of all facts, ideas, opinions, viewpoints of others in the
assignment references. Direct quotations, paraphrasing, discussion of ideas from books,
journal articles, internet sources, module text, or any other source whatsoever are
acknowledged and the sources cited are identified in the assignment references.
I declare that this material, which I now submit for assessment, is entirely my own work and
has not been taken from the work of others save and to the extent that such work has been
cited and acknowledged within the text of my work. By signing this form or by submitting
this material online I confirm that this assignment, or any part of it, has not been previously
submitted by me or any other person for assessment on this or any other course of study.
By signing this form or by submitting material for assessment online I confirm that I have
read and understood the DCU Academic Integrity and Plagiarism Policy
1
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Table of Contents
DECLARATION ..................................................................................................................................................1
INTRODUCTION ...............................................................................................................................................3
ANALOGIES EMPLOYED..................................................................................................................................11
CODE OF ETHICS.............................................................................................................................................12
OPTIMISTIC .......................................................................................................................................................... 12
PESSIMISTIC ......................................................................................................................................................... 12
COMPROMISE....................................................................................................................................................... 13
CONCLUSION .................................................................................................................................................13
REFERENCES...................................................................................................................................................14
2
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Introduction
Yahoo!, an email provider that has been trusted by millions of people worldwide since 1997 was
with big names like Gmail and AOL Email because of its comprehensive functionality, consistency,
and security. Yahoo! released a statement on September 22, 2016, saying that somewhat 3 billion
personal user accounts were affected due to hacking. Yahoo! reported that a single-third party was
responsible for carrying out the colossal data breach which led to the leakage of personal data such
as full names, email addresses, contact numbers, birth dates and account’s protected passwords. It
is obvious that this amount of information would be enough in the future for the hacker to commit
theft crimes against the affected users. Although, data breaches are not something new to the
textbooks as it happens quite often but this particular breach was considered the largest of its kind
ever. In 2014, the majority of account users received alert emails from Yahoo! claiming that a
suspicious party has tried to log into the accounts by capturing the basic information (Ali, 2017). At
this point, the FBI confirmed that it was investigating the affair.
In September 2016, during the statement release, it was reflected that the breach took place in 2014
during the time when the users received alerting emails from the organization. The release of this
statement resulted in a huge debate among the users on why Yahoo! did not openly declare the
breach in 2014 when a number of suspicious logins were flooding in. The question of keeping the
information about the breach for 2 years as a secret was considered unethical (Thomas, 2016).
These breaches had an immediate impact on Verizon Communication’s deal to take over Yahoo! in
July 2016 as the final price was decreased by $350 million from the $4.8 billion that was set before.
Literature Review
It is obvious that data security is progressively becoming more and more difficult because of the
increasing number of external and internal threats (Richardson, 2011; vanKessel, 2011). Sen and
Borle (2015) described a data breach as “unauthorized access to secure or confidential data resulting
in compromising with the integrity”. Privacy Rights Clearinghouse (PRC) has been tracking a lot of
data breaches since 2005 and there were 563 million records leaked as of October 2016. This
number could wrong as there might be a lot of breaches like Yahoo!’s that were not published
3
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
publicly (Wikina, 2014). It was also reported that from 2009–2012 there was a whopping 230%
increase in the number of records breached impacting more than 27 million people.
Yahoo! admitted that nearly all the user accounts were affected by this massive breach (Identity
Force, 2017). Not only did the hack led to the loss of the personal information and details, but it also
defamed the company. After the incident, it was reported that only 35% of users recreated the
account with Yahoo! while others went to seek solutions from other providers like Google Inc. (Ali,
2017). Once the reports were delivered, Yahoo! saw a loss of $1.23 billion in the second quarter of
the 2014 financial year which also led to 15% of the employees losing their jobs.
Six Democratic U.S. Senators (Ed Markey, Patrick Leahy, Al Franken, Elizabeth Warren, Ron Wyden,
and Richard Blumenthal), wrote an open letter to Yahoo! requiring answers on why did it take the
multinational firm so long to disclose the breach to the media and its users. Ireland’s DPC (Data
Protection Commissioner) claimed that instead of investigating the issue, Yahoo! was just examining
the case from the top to get away from it. Germany slammed Yahoo!’s cybersecurity practices as the
Federal Office of Information Security (FOIS) warned the German users to seek for internet solutions
from companies with better security approaches.
4
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Liffick’s Analysis
Primary Participants
The participants who have taken obvious actions impacting the case directly are known as primary
participants.
5
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Secondary Participants
Participants who did not take a specific action and have been affected by the primary participant’s
actions fall under this category.
Implied Participants
Only one participant is left which is the actual client. Users are not specifically identified by the name
but had a stake in the outcome of Yahoo!’s data breach case.
Studying Yahoo!’s case, following are the participants that were eliminated due to one or the other
reason:
• Verizon Communication – Verizon Communication’s actions did not affect the final analysis of the
case so they come under the list of eliminated participants.
6
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
• German FOIS – similar to the U.S Congress, German FOIS educated its nation’s people which will
not alter the final analysis so the authority is eliminated from the list of participants.
• FBI (Federal Bureau of Investigation) – It is the FBI’s job help the citizens and the government
whenever required by investigating a case, so it can be assumed that the FBI did their duty
legitimately and can be eliminated from the list of participants.
• U.S Congress – In Yahoo!’s case, the government was looking for its people by educating them
and also filing a case against the firm to approve further investigation which can be seen as its
fundamental duty. Looking at it as a fundamental duty we remove it from the list of participants.
• U.S Senators and Ireland’s DPC – As already discussed in the previous section, these authorities
did not take any direct action that will result upon a change in the final outcome of the case, so they
can be eliminated from the list participants.
Following the method of KISS (Keeping it Short and Simple) and eliminating some of the participants
that can be seen in the diagram above, we are left with three participants which are Users, Hacking
team and the company that was attacked i.e. Yahoo!.
Users are directly impacted as the result of hacking from the actions of the single-third party
hacking team to breach the accounts. User’s personal information has been stolen and they are
directly affected from the start until the end of this case.
7
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Hackers are also considered as the main participant as they are the ones who start the whole
scam by gaining unauthorized access and their actions are trivial for the outcome of this case.
Yahoo! Kept the news about the breach confidential for two years to make sure that their
reputation is intact in the market which was considered as unethical and led to a massive furry
among the media, government and the users. Looking at this it is an obvious choice to keep
Yahoo! In the list of narrowed down participants.
Legal Considerations
After some in depth research on different sources I found out that Yahoo! Breached two major laws
which are the following:
“Users Expect that organizations will keep their personal information safe from the hackers who
will try to exploit it.”
Hayesconnor.co.uk helps the yahoo account holders (between 1st January 2012 to 31st December
2016) to get data breach compensation. The process is very simple, the person just has to fill a form
which will then go on a check as if the person claiming the compensation is eligible to get one.
8
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
• Users – As the public already knows that the world of technology and the internet is unsafe so it
is the user’s duty as well to keep themselves safe from such issues by taking some precautions.
WSJ’s personal technology editor, Wilson Rockman gave a piece of advice to the users to apply a
two-factor authentication which would have helped them to double the security of their Yahoo!
Accounts. Once two-factor authentication is enabled, the hacking team can only breach the
account’s data if they had the access to the user’s personal mobile phone.
• Yahoo! – Yahoo! could have addressed its users about the breach at all points in early 2014, late
2014 and September 2016. There would have been unrest among the users but it would have been
settled with time. Yahoo! could also have tightened its security systems against such breaches as
once Forbes considered Yahoo! to be the most insecure multinational organization.
• Hacking team – Hackers carried out the breach with bad intensions and should have thought
about the outcomes of the situation as the door of crimes leads one to behind the bars. Moreover,
hackers could have used their skills doing something that is not considered illegal by the
government.
9
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Key Phrases
Questions Raised
There are no doubts in saying that some of the things are questionable in Yahoo!’s massive data
breach case. Some of the questions are mentioned below:
1. Were the security systems secure enough to save Yahoo! against a data breach? As Yahoo! came
in the list of firms that were most prone to such breaches.
2. Were there any inside tactics that were going on to make sure the reputation doesn’t fall off the
perch?
3. Was the company not liable to at least open up about the breach to its major shareholders and
Verizon Communications?
4. Should it not be Yahoo!’s duty to educate its users about the two-factor authentication when
the small number of intrusions were seen in early 2014?
10
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Analogies Employed
Data breaches are so common that through a statistic got from Business Insider, it was seen that
nearly 98% of companies are prone to it. There have been some massive data breaches in the past
that involved big companies. From this scenario, we will be focusing on what Google (Alphabet’s
child company) did to prevent themselves from such breaches.
It indeed depends on the threat model on how to take precautions in the system but Google took
the solution to a whole new level which is to date considered as the safest and the easiest technique
to save yourself against a data breach. The famous technique is known as “Two-factor
authentication” which is hailed by several researches including ones from New York University and
the University of California. In these techniques, a text message consisting of a series of digits is sent
to the account owner’s mobile phone whenever someone tries to log in into the email account. If
the person trying to access the account fails to enter the same series of digits when asked, the email
provider does not allow the login to happen as there is an extra coverage of security.
The above image shows the data from Google which proves that sending a text message to the
user's phone can prevent 100% of the hacks and 96% of phishing attacks.
Yahoo! Being one of the heavyweights in the industry should have adopted such techniques to
prevent themselves and their users from the massive breach.
11
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Code of Ethics
Professional Responsibilities
Alternate Proposals
Optimistic
It is seen that the world of technology has changed a lot ever since it saw one of the world’s biggest
data breach. To lower the future attacks, the company doubled the size of its security staff (Ali,
2017). Yahoo! also installed several firewalls to fight against the robot-hackers. One of the very
important features added by many firms was letting the user know who has logged in into the
account with the IP address which is still used by most of the email providers (Thomas, 2016).
Pessimistic
The technology is innovating at a high rate and it is not the same for security. After seeing all the
breaches in the past, big organizations have still not learned the lessons as they don’t keep the
security and innovation hand in hand.
12
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
Compromise
As several researchers claimed, Yahoo! was always prone to data thefts and should have invested
heavily in their security systems after seeing the early signs to avoid the big breach in 2014.
Conclusion
Nearly 3 billion users affected proves that putting data online is not safe and secure. Not only
normal citizens and government official’s personal information, hackers have also breached the code
of ethics and morals. Yahoo! Being one of the biggest technology firms failed to protect its user's
data for multiple times in the past due to the vulnerability in their security systems.
Yahoo!’s case study gave me an opportunity to explore ethics in the real world. It was a really good
experience where I also learned about reporting a case study through Liffick’s analysis. The most
important lesson is that nobody is bigger than justice.
13
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
2. The Verge. (2019). SEC issues $35 million fine over Yahoo failing to disclose data breach. [online]
Available at: https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-
breach-35-million
[Accessed 2 Nov. 2019].
3. The National Law Review. (2019). The Hacked & the Hacker-for-Hire: Lessons from the
Yahoo Data Breaches (So Far). [online] Available at:
https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far
[Accessed 3 Nov. 2019].
4. Ico.org.uk. (2019). Yahoo! fined £250,000 after systemic failures put customer data at risk.
[online] Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/
[Accessed 3 Nov. 2019].
5. Inc.com. (2019). Did Yahoo Break Any Laws with the Massive Data Breach?. [online] Available at:
https://www.inc.com/erik-sherman/did-yahoo-break-any-laws-with-the-massive-data-
breach.html
[Accessed 4 Nov. 2019].
6. Business Insider. (2019). LEAKED: The Hard Questions Yahoo Employees Asked Marissa Mayer.
[online] Available at: https://www.businessinsider.com/leaked-the-hard-questions-yahoo-
employee-asked-marissa-mayer-2015-1?r=US&IR=T
[Accessed 5 Nov. 2019].
8. TechCrunch. (2019). Google’s own data proves two-factor is the best defense against most
account hacks – TechCrunch. [online] Available at: https://techcrunch.com/2019/05/20/google-
data-two-factor-security/
[Accessed 6 Nov. 2019].
9. TechCrunch. (2019). Google’s own data proves two-factor is the best defense against most
account hacks – TechCrunch. [online] Available at: https://techcrunch.com/2019/05/20/google-
data-two-factor-security/
[Accessed 7 Nov. 2019].
10. ACM Ethics. (2019). ACM Ethics. [online] Available at: https://ethics.acm.org
[Accessed 8 Nov. 2019].
11. Jee, E., Song, J. and Bae, D. (2018). Definition and Application of Mutation Operator Extensions
for FBD Programs. KIISE Transactions on Computing Practices, 24(11), pp.589-595.
14
CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor
12. Free Management Resources. (2019). Yahoo Cyber Attack Case Study | Free Management
Resources. [online] Available at: https://freemanagementresources.com/yahoo-inc-cyber-attack-
case-study/
[Accessed 8 Nov. 2019].
13. Kennedy, J. (2019). 5 things you need to know as Yahoo data breach rises to 3bn accounts.
[online] Silicon Republic. Available at: https://www.siliconrepublic.com/enterprise/data-breach-
yahoo-verizon-oath
[Accessed 8 Nov. 2019].
15