ARI SHAPIRO, HOST:
2016 has been a huge year for hackers. They hit the Democratic National Committee, possibly the Republicans, too. They broke into the Twitter accounts of the CEOs of Facebook, Google and, yes, Twitter. Hackers did damage elsewhere, too. A few breaches caught the eye of our tech reporter Aarti Shahani because of their unexpected financial impact.
AARTI SHAHANI, BYLINE: Yes, the DNC hack rocked the political world in ways we're only beginning to understand. But the act of cyber-espionage is hardly new. Nation states have been doing it to each other for years now. What is new, never-before-seen is this.
(SOUNDBITE OF ARCHIVED RECORDING)
CARSON BLOCK: This appears to be a company that for years has put profits before patients when it comes to cybersecurity.
SHAHANI: You're listening to short-seller Carson Block, a hedge fund guy sounding very altruistic on Bloomberg TV as he talks about the company St. Jude Medical.
(SOUNDBITE OF ARCHIVED RECORDING)
BLOCK: And we think it's important, A, to make sure that users are notified of the risks but, B, hold them publicly accountable.
SHAHANI: What's actually just happened is that he tag-teamed with a cybersecurity firm to short St. Jude's stock. Here's how it worked. The hackers for hire released research showing they could break into St. Jude's pacemakers remotely over the Internet. That's a terrifying thought. A hacker could get into the device in your heart, take it over, make it stop - terrifying enough to move markets.
And as St. Jude's stock price fell with publicity of the research, the hackers and hedge fund made money. Justine Bone, CEO of the hacker research group MedSec, in that same Bloomberg interview...
(SOUNDBITE OF ARCHIVED RECORDING)
JUSTINE BONE: So we were shocked, and this is a team with years and years of experience, myself included. I've never seen an impact this significant before in my career.
SHAHANI: People with years and years of experience in her industry are not typically shocked that an Internet-connected device can be hacked. Security is so poor across the board; they're shocked when it cannot be hacked. And a quick note - there's no evidence that St. Jude's pacemakers have in fact been hacked by criminals.
According to the unwritten rules of cybersecurity, researchers are supposed to go to the company with the security flaw and let them know first, give them a chance to fix it. Bone didn't do that, and she admits she's got bills to pay. This research isn't cheap.
(SOUNDBITE OF ARCHIVED RECORDING)
BONE: So of course we're looking to recover our costs here.
SHAHANI: You could call it a jerk move, or you could say that's exactly how markets are supposed to work. You bring in information that no one else has - outside information, not insider info, which would be illegal - and make money off it.
Now let's turn to case study two - the $4.8 billion deal for Verizon to buy Yahoo. Here's AOL chief Tim Armstrong talking with NPR about the deal which he helped to broker.
(SOUNDBITE OF ARCHIVED BROADCAST)
TIM ARMSTRONG: You know, Yahoo is a very strong global brand and global company.
SHAHANI: And so is AOL, which Verizon bought last year.
(SOUNDBITE OF ARCHIVED BROADCAST)
ARMSTRONG: And the combination of the two with Verizon really offers something that is unique in the marketplace, which is the ability to have, you know, a very scaled, over a billion users combined...
SHAHANI: Now, what Tim Armstrong did not realize when he was selling the world on this big, bold move was that those Yahoo user accounts were being pillaged.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED REPORTER #1: There has been a massive hack attack on those with a Yahoo account.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED REPORTER #2: Hackers stole the personal information in half a billion email accounts. It may be the biggest hack ever.
SHAHANI: And three months later, as if half a billion weren't enough, Yahoo beat its own record.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED REPORTER #3: One billion of its user accounts were compromised.
SHAHANI: Talk about a distinction you don't want to have. When news of the first hack broke in September, Verizon said in a stern, coldly worded email that Yahoo did not share this security information earlier and, yes, it would be re-evaluating.
Now, many acquisitions never make it for reasons like anti-trust issues, but if this deal falls apart because of cybersecurity risk, that'll be a new one. Aarti Shahani, NPR News, San Francisco.
(SOUNDBITE OF MELODIUM SONG, "WHITE CHAPEL") Transcript provided by NPR, Copyright NPR.