Yahoo has come under renewed scrutiny by federal investigators and lawmakers after disclosing the largest known data breach in history, prompting Verizon to demand better terms for its planned purchase of Yahoo's internet business.
Shares of the internet pioneer fell more than 6 percent after it announced the breach of data affecting more than 1 billion users yesterday, following another large hack reported in September.
Verizon, which agreed to buy Yahoo's core internet business in July for US$4.8 billion, is now trying to persuade Yahoo to amend the terms of the acquisition agreement to reflect the economic damage from the two hacks, according to people familiar with the matter.
The top US wireless carrier still expects to go through with the deal, but is looking for “major concessions” in light of the most recent breach, according to another person familiar with the situation.
Asked about the status of the deal, a Yahoo spokesperson said "we are confident in Yahoo’s value and we continue to work towards integration with Verizon".
Verizon had already said in October it was reviewing the deal after September's breach disclosure. Yesterday it said it would "review the impact of this new development before reaching any final conclusions" about whether to proceed.
The company declined to comment beyond that statement.
Verizon has threatened to go to court to get out of the deal if it is not repriced, citing a material adverse effect, said the people familiar with the matter, who asked not to be identified because the negotiations are confidential.
No court in Delaware, where Yahoo is incorporated, has ever found that a material adverse effect has occurred that would allow companies to terminate a merger agreement.
Nevertheless, the threat of a court case on the issue has been successfully used by companies to renegotiate deals, and experts said that some concessions from Yahoo are likely, given the magnitude of the security breaches.
Renegotiating the deal’s price tag would be the simplest but also least likely scenario because the impact of the data breaches will not be apparent for some time, according to Erik Gordon, a professor at the University of Michigan's Ross School of Business.
A more likely concession would be for Yahoo to agree to compensate Verizon after the close of the deal, based on the liabilities that occur. The two companies may also agree to extend the close of the deal to allow for more time for information to come in on the impact of the breaches, Gordon suggested.
The White House yesterday revealed the US FBI was probing the breach. Several lawsuits seeking class-action status on behalf of Yahoo shareholders have been filed, or are in the works.
Meanwhile, Democratic senator Mark Warner of Virginia said he was looking into Yahoo's cyber security practices.
"This most recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users," he said in a statement.
Warner, who will become the top Democrat on the US senate intelligence committee next year, described the hacks as "deeply troubling."
New York attorney general Eric Schneiderman urged anyone with a Yahoo account to change their passwords and security questions, and said he was examining the breach's circumstances and the company's disclosures to law enforcement.
Germany's cyber security authority, the Federal Office for Information Security (BSI), advised German consumers to consider switching to safer alternatives for email, and criticised Yahoo for failing to adopt modern encryption techniques to protect users' personal data.
"Considering the repeated cases of data theft, users should look more closely at which services they want to use in the future and security should play a part in that decision," BSI president Arne Schoenbohm said in a statement.
A Yahoo spokesperson, in response to criticism of the company's security measures, said "we’re committed to keeping our users secure, both by continuously striving to stay ahead of ever-evolving online threats and to keep our users and platforms secure".