CA640 Professional and Research Practice: Ethics Essay

Kshitiz Kapoor (19212090)

Kshitiz.kapoor2@mail.dcu.ie

Word Count: 2504

 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Declaration
An essay submitted to Dublin City University, School of Computing for module CA640
Professional and Research Practice, 2019/2020. I understand that the University regards
breaches of academic integrity and plagiarism as grave and serious. I have read and
understood the DCU Academic Integrity and Plagiarism Policy. I accept the penalties that
may be imposed should I engage in practice or practices that breach this policy. I have
identified and included the source of all facts, ideas, opinions, viewpoints of others in the
assignment references. Direct quotations, paraphrasing, discussion of ideas from books,
journal articles, internet sources, module text, or any other source whatsoever are
acknowledged and the sources cited are identified in the assignment references.

I declare that this material, which I now submit for assessment, is entirely my own work and
has not been taken from the work of others save and to the extent that such work has been
cited and acknowledged within the text of my work. By signing this form or by submitting
this material online I confirm that this assignment, or any part of it, has not been previously
submitted by me or any other person for assessment on this or any other course of study.
By signing this form or by submitting material for assessment online I confirm that I have
read and understood the DCU Academic Integrity and Plagiarism Policy

(available at: https://www.dcu.ie/policies/policies.shtml)

Name: Kshitiz Kapoor

Date: 15th November 2019

1
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Table of Contents
DECLARATION ..................................................................................................................................................1

INTRODUCTION ...............................................................................................................................................3

LITERATURE REVIEW ........................................................................................................................................3

LIFFICK’S ANALYSIS ..........................................................................................................................................5

PARTICIPANTS AND THEIR ACTIONS ................................................................................................................5

PRIMARY PARTICIPANTS ........................................................................................................................................... 5

SECONDARY PARTICIPANTS........................................................................................................................................ 6
IMPLIED PARTICIPANTS ............................................................................................................................................. 6

REDUCED LIST THROUGH SIMPLIFYING ASSUMPTIONS ...................................................................................6

LEGAL CONSIDERATIONS .................................................................................................................................8

DATA PROTECTION ACT 1998 ................................................................................................................................... 8

STATE DATA LAWS .................................................................................................................................................. 8

POSSIBLE OPTIONS OF PARTICIPANTS .............................................................................................................9

JUSTIFICATION OF PARTICIPANT’S ACTIONS ....................................................................................................9

KEY PHRASES .................................................................................................................................................10

QUESTIONS RAISED .......................................................................................................................................10

ANALOGIES EMPLOYED..................................................................................................................................11

CODE OF ETHICS.............................................................................................................................................12

GENERAL ETHICAL PRINCIPLES ................................................................................................................................. 12

PROFESSIONAL RESPONSIBILITIES .............................................................................................................................. 12
ALTERNATE PROPOSALS ................................................................................................................................12

OPTIMISTIC .......................................................................................................................................................... 12
PESSIMISTIC ......................................................................................................................................................... 12
COMPROMISE....................................................................................................................................................... 13

ETHICAL THEORY UTILISED .............................................................................................................................13

CONCLUSION .................................................................................................................................................13

REFERENCES...................................................................................................................................................14

2
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

“Unethical behavior leads to failure”

Introduction
Yahoo!, an email provider that has been trusted by millions of people worldwide since 1997 was
with big names like Gmail and AOL Email because of its comprehensive functionality, consistency,
and security. Yahoo! released a statement on September 22, 2016, saying that somewhat 3 billion
personal user accounts were affected due to hacking. Yahoo! reported that a single-third party was
responsible for carrying out the colossal data breach which led to the leakage of personal data such
as full names, email addresses, contact numbers, birth dates and account’s protected passwords. It
is obvious that this amount of information would be enough in the future for the hacker to commit
theft crimes against the affected users. Although, data breaches are not something new to the
textbooks as it happens quite often but this particular breach was considered the largest of its kind
ever. In 2014, the majority of account users received alert emails from Yahoo! claiming that a
suspicious party has tried to log into the accounts by capturing the basic information (Ali, 2017). At
this point, the FBI confirmed that it was investigating the affair.

In September 2016, during the statement release, it was reflected that the breach took place in 2014
during the time when the users received alerting emails from the organization. The release of this
statement resulted in a huge debate among the users on why Yahoo! did not openly declare the
breach in 2014 when a number of suspicious logins were flooding in. The question of keeping the
information about the breach for 2 years as a secret was considered unethical (Thomas, 2016).
These breaches had an immediate impact on Verizon Communication’s deal to take over Yahoo! in
July 2016 as the final price was decreased by $350 million from the $4.8 billion that was set before.

Literature Review
It is obvious that data security is progressively becoming more and more difficult because of the
increasing number of external and internal threats (Richardson, 2011; vanKessel, 2011). Sen and
Borle (2015) described a data breach as “unauthorized access to secure or confidential data resulting
in compromising with the integrity”. Privacy Rights Clearinghouse (PRC) has been tracking a lot of
data breaches since 2005 and there were 563 million records leaked as of October 2016. This
number could wrong as there might be a lot of breaches like Yahoo!’s that were not published

3
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

publicly (Wikina, 2014). It was also reported that from 2009–2012 there was a whopping 230%
increase in the number of records breached impacting more than 27 million people.

Yahoo! admitted that nearly all the user accounts were affected by this massive breach (Identity
Force, 2017). Not only did the hack led to the loss of the personal information and details, but it also
defamed the company. After the incident, it was reported that only 35% of users recreated the
account with Yahoo! while others went to seek solutions from other providers like Google Inc. (Ali,
2017). Once the reports were delivered, Yahoo! saw a loss of $1.23 billion in the second quarter of
the 2014 financial year which also led to 15% of the employees losing their jobs.

Six Democratic U.S. Senators (Ed Markey, Patrick Leahy, Al Franken, Elizabeth Warren, Ron Wyden,
and Richard Blumenthal), wrote an open letter to Yahoo! requiring answers on why did it take the
multinational firm so long to disclose the breach to the media and its users. Ireland’s DPC (Data
Protection Commissioner) claimed that instead of investigating the issue, Yahoo! was just examining
the case from the top to get away from it. Germany slammed Yahoo!’s cybersecurity practices as the
Federal Office of Information Security (FOIS) warned the German users to seek for internet solutions
from companies with better security approaches.

4
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Liffick’s Analysis

Participants and their actions

This section would help us to evaluate every participant who was directly or indirectly involved in
the particular case. The below SmartArt depicts all the participants which were divided into three
groups that are: primary participants, secondary participants, and implied participants.

Primary Participants
The participants who have taken obvious actions impacting the case directly are known as primary
participants.

5
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Secondary Participants
Participants who did not take a specific action and have been affected by the primary participant’s
actions fall under this category.

Implied Participants
Only one participant is left which is the actual client. Users are not specifically identified by the name
but had a stake in the outcome of Yahoo!’s data breach case.

Reduced List through simplifying assumptions

It is very necessary to avoid the “Kitchen Sink” situation and make sure and that the participants
whose actions are not trivial should be eliminated from the list to make it easy for the reader to
understand the situation in a better way.

Studying Yahoo!’s case, following are the participants that were eliminated due to one or the other
reason:

• Verizon Communication – Verizon Communication’s actions did not affect the final analysis of the
case so they come under the list of eliminated participants.

6
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

• German FOIS – similar to the U.S Congress, German FOIS educated its nation’s people which will
not alter the final analysis so the authority is eliminated from the list of participants.

• FBI (Federal Bureau of Investigation) – It is the FBI’s job help the citizens and the government
whenever required by investigating a case, so it can be assumed that the FBI did their duty
legitimately and can be eliminated from the list of participants.

• U.S Congress – In Yahoo!’s case, the government was looking for its people by educating them
and also filing a case against the firm to approve further investigation which can be seen as its
fundamental duty. Looking at it as a fundamental duty we remove it from the list of participants.

• U.S Senators and Ireland’s DPC – As already discussed in the previous section, these authorities
did not take any direct action that will result upon a change in the final outcome of the case, so they
can be eliminated from the list participants.

Following the method of KISS (Keeping it Short and Simple) and eliminating some of the participants
that can be seen in the diagram above, we are left with three participants which are Users, Hacking
team and the company that was attacked i.e. Yahoo!.

 Users are directly impacted as the result of hacking from the actions of the single-third party
hacking team to breach the accounts. User’s personal information has been stolen and they are
directly affected from the start until the end of this case.

7
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

 Hackers are also considered as the main participant as they are the ones who start the whole
scam by gaining unauthorized access and their actions are trivial for the outcome of this case.
 Yahoo! Kept the news about the breach confidential for two years to make sure that their
reputation is intact in the market which was considered as unethical and led to a massive furry
among the media, government and the users. Looking at this it is an obvious choice to keep
Yahoo! In the list of narrowed down participants.

Legal Considerations
After some in depth research on different sources I found out that Yahoo! Breached two major laws
which are the following:

Data Protection Act 1998

Following the attack in 2014 and the disclosure in 2016, ICO (Information Commissioner’s office
investigated under the Data Protection Act 1998. In particular, ICO focused on 515,212 UK accounts.
The main results of the investigation were that Yahoo! UK Service Ltd failed to protect the user's data
and did not ensure appropriate monitoring. The fine charged was £250,00 and after some time data
protection law has changed as EU’s GDPR came into effect on 25th May 2018. IPO’s Deputy
commissioner, James-Dipple-Johnstone, said –

“Users Expect that organizations will keep their personal information safe from the hackers who
will try to exploit it.”

Hayesconnor.co.uk helps the yahoo account holders (between 1st January 2012 to 31st December
2016) to get data breach compensation. The process is very simple, the person just has to fill a form
which will then go on a check as if the person claiming the compensation is eligible to get one.

State Data Laws

States like California, New York, and Massachusetts, has several data laws that make it necessary for
the organization to notify the user when the breach takes place. Looking at Yahoo!’s case, it can be
seen that they failed to disclose the situation to their users. Every state in this world has a different
action to the breaking of their state law. In New York, the fine Is up to $150,000 if the organization
knowingly failed to disclose the breach whereas in Massachusetts the fine is only $5000.

8
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Possible options of participants

There is always more than one way to reach the desired destination, and the core participant’s
actions could have been different to make the situation slightly better. The participants and their
hypothetical actions are mentioned below:

• Users – As the public already knows that the world of technology and the internet is unsafe so it
is the user’s duty as well to keep themselves safe from such issues by taking some precautions.
WSJ’s personal technology editor, Wilson Rockman gave a piece of advice to the users to apply a
two-factor authentication which would have helped them to double the security of their Yahoo!
Accounts. Once two-factor authentication is enabled, the hacking team can only breach the
account’s data if they had the access to the user’s personal mobile phone.

• Yahoo! – Yahoo! could have addressed its users about the breach at all points in early 2014, late
2014 and September 2016. There would have been unrest among the users but it would have been
settled with time. Yahoo! could also have tightened its security systems against such breaches as
once Forbes considered Yahoo! to be the most insecure multinational organization.

• Hacking team – Hackers carried out the breach with bad intensions and should have thought
about the outcomes of the situation as the door of crimes leads one to behind the bars. Moreover,
hackers could have used their skills doing something that is not considered illegal by the
government.

Justification of Participant’s actions

No one does anything without thinking, so it is the same as the participants in Yahoo!’s case. In this
scenario, the user can state that they are not liable to anything as being a customer they should
receive the best possible service from the company that they are trusting upon. Yahoo! Can also just
its decision of keeping the breach as a disclosed matter as the investigation was still in progress and
their reputation was on stake. Yahoo! Can justify that the customer agreed on the terms and
conditions before signing up that stated the company’s policy. In the same way as the organization
and the customer, the hacking team can advocate their own actions by saying that they felt it was
the easiest way to success or money. The hackers can also claim that there is a lack of opportunities
in the real world where they can show their skills in a legitimate manner.

9
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Key Phrases

Questions Raised
There are no doubts in saying that some of the things are questionable in Yahoo!’s massive data
breach case. Some of the questions are mentioned below:

1. Were the security systems secure enough to save Yahoo! against a data breach? As Yahoo! came
in the list of firms that were most prone to such breaches.
2. Were there any inside tactics that were going on to make sure the reputation doesn’t fall off the
perch?
3. Was the company not liable to at least open up about the breach to its major shareholders and
Verizon Communications?
4. Should it not be Yahoo!’s duty to educate its users about the two-factor authentication when
the small number of intrusions were seen in early 2014?

10
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Analogies Employed
Data breaches are so common that through a statistic got from Business Insider, it was seen that
nearly 98% of companies are prone to it. There have been some massive data breaches in the past
that involved big companies. From this scenario, we will be focusing on what Google (Alphabet’s
child company) did to prevent themselves from such breaches.

It indeed depends on the threat model on how to take precautions in the system but Google took
the solution to a whole new level which is to date considered as the safest and the easiest technique
to save yourself against a data breach. The famous technique is known as “Two-factor
authentication” which is hailed by several researches including ones from New York University and
the University of California. In these techniques, a text message consisting of a series of digits is sent
to the account owner’s mobile phone whenever someone tries to log in into the email account. If
the person trying to access the account fails to enter the same series of digits when asked, the email
provider does not allow the login to happen as there is an extra coverage of security.

The above image shows the data from Google which proves that sending a text message to the
user's phone can prevent 100% of the hacks and 96% of phishing attacks.

Yahoo! Being one of the heavyweights in the industry should have adopted such techniques to
prevent themselves and their users from the massive breach.

11
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Code of Ethics

General Ethical Principles

Professional Responsibilities

Alternate Proposals

Optimistic
It is seen that the world of technology has changed a lot ever since it saw one of the world’s biggest
data breach. To lower the future attacks, the company doubled the size of its security staff (Ali,
2017). Yahoo! also installed several firewalls to fight against the robot-hackers. One of the very
important features added by many firms was letting the user know who has logged in into the
account with the IP address which is still used by most of the email providers (Thomas, 2016).

Pessimistic
The technology is innovating at a high rate and it is not the same for security. After seeing all the
breaches in the past, big organizations have still not learned the lessons as they don’t keep the
security and innovation hand in hand.

12
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

Compromise
As several researchers claimed, Yahoo! was always prone to data thefts and should have invested
heavily in their security systems after seeing the early signs to avoid the big breach in 2014.

Ethical Theory Utilised

Egoism Theory was considered as the most appropriate for Yahoo!’s case study and my conclusion.
To protect its name and reputation, Yahoo! kept its users and shareholders in the dark but it is truly
said: “The more you lie, the further you fall”. Yahoo encountered big losses and a decline in stock
prices after the unethical and egoistic behaviour.

Conclusion
Nearly 3 billion users affected proves that putting data online is not safe and secure. Not only
normal citizens and government official’s personal information, hackers have also breached the code
of ethics and morals. Yahoo! Being one of the biggest technology firms failed to protect its user's
data for multiple times in the past due to the vulnerability in their security systems.

Yahoo!’s case study gave me an opportunity to explore ethics in the real world. It was a really good
experience where I also learned about reporting a case study through Liffick’s analysis. The most
important lesson is that nobody is bigger than justice.

13
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

References (Harvard Style)

1. (2016), Y. (2019). Yahoo: Data breach leads to 500 million accounts hacked (2016). [online]
Businessethicscases.blogspot.com. Available at:
http://businessethicscases.blogspot.com/2017/04/yahoo-data-breach-leads-to-500-million.html
[Accessed 1 Nov. 2019].

2. The Verge. (2019). SEC issues $35 million fine over Yahoo failing to disclose data breach. [online]
Available at: https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-
breach-35-million
[Accessed 2 Nov. 2019].

3. The National Law Review. (2019). The Hacked & the Hacker-for-Hire: Lessons from the
Yahoo Data Breaches (So Far). [online] Available at:
https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far
[Accessed 3 Nov. 2019].

4. Ico.org.uk. (2019). Yahoo! fined £250,000 after systemic failures put customer data at risk.
[online] Available at: https://ico.org.uk/about-the-ico/news-and-events/news-and-
blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/
[Accessed 3 Nov. 2019].

5. Inc.com. (2019). Did Yahoo Break Any Laws with the Massive Data Breach?. [online] Available at:
https://www.inc.com/erik-sherman/did-yahoo-break-any-laws-with-the-massive-data-
breach.html
[Accessed 4 Nov. 2019].

6. Business Insider. (2019). LEAKED: The Hard Questions Yahoo Employees Asked Marissa Mayer.
[online] Available at: https://www.businessinsider.com/leaked-the-hard-questions-yahoo-
employee-asked-marissa-mayer-2015-1?r=US&IR=T
[Accessed 5 Nov. 2019].

7. Watts, S. (2014). Intelligent combination – the benefits of tokenless two-factor

authentication. Network Security, 2014(8), pp.17-20.

8. TechCrunch. (2019). Google’s own data proves two-factor is the best defense against most
account hacks – TechCrunch. [online] Available at: https://techcrunch.com/2019/05/20/google-
data-two-factor-security/
[Accessed 6 Nov. 2019].

9. TechCrunch. (2019). Google’s own data proves two-factor is the best defense against most
account hacks – TechCrunch. [online] Available at: https://techcrunch.com/2019/05/20/google-
data-two-factor-security/
[Accessed 7 Nov. 2019].

10. ACM Ethics. (2019). ACM Ethics. [online] Available at: https://ethics.acm.org
[Accessed 8 Nov. 2019].

11. Jee, E., Song, J. and Bae, D. (2018). Definition and Application of Mutation Operator Extensions
for FBD Programs. KIISE Transactions on Computing Practices, 24(11), pp.589-595.

14
 CA640 Professional and Research Practice: Ethics Essay | Kshitiz Kpoor

12. Free Management Resources. (2019). Yahoo Cyber Attack Case Study | Free Management
Resources. [online] Available at: https://freemanagementresources.com/yahoo-inc-cyber-attack-
case-study/
[Accessed 8 Nov. 2019].

13. Kennedy, J. (2019). 5 things you need to know as Yahoo data breach rises to 3bn accounts.
[online] Silicon Republic. Available at: https://www.siliconrepublic.com/enterprise/data-breach-
yahoo-verizon-oath
[Accessed 8 Nov. 2019].

15