INSUBCONTINENT EXCLUSIVE:
Another fallout from themassive Yahoo data breach that dates back to 2014: The UK data watchdog has just issued a £250,000 (~$334k) penalty
for violations of the Data Protection Act 1998.
Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity
called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping
~500M users.
Certainly given how large data protection fines can now scale under the European Union new privacy framework, GDPR, which also
requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case… ).
The
Information Commissioner Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo
UK Services Ltd had responsibility for as a data controller.
And it found a catalogue of failures — specifically findingthat Yahoo UK
Services had: Failed to take appropriatetechnical and organisational measures to protect the data against exfiltration by unauthorised
persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data
protection standards; hadfailed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to
Yahoo! customer data; and also that theinadequacies found had been in place for &a long period of time without being discovered or
addressed&.
Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: &People expect that
organisations will keep their personal data safe from malicious intruders who seek to exploit it
The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate
measures, and potentially stop UK citizens& data being compromised.
According to the ICO personal data compromised in the breachincluded
names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
It
considered the breach to be a &serious contravention of Principle 7 of the Data Protection Act 1998& — which states that appropriate
technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.
Happily for Oath, GDPR
does not apply historically because the UK domestic regime only allows for maximum penalties of £500k.
And given Verizon was able to knock
$350M off the acquisition price of Yahoo on account of a pair of massive data breaches, well, it not going to be too concerned with the
regulatory sting here.
Reputation wise is perhaps another matter
Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo.
An
Oath spokesman told us the company does not comment directly on regulatory actions — but pointed to several developments since Yahoo was
acquired, including the doubling in size of the global security organization; the creation in March of a cybersecurity advisory board; and
the relaunch in April of an integrated bug bounty program.
Also, as we reported last year, Yahoo chief information security officer, Bob
Lord — who was in charge at the time the breach was unearthed — lost out to AOL Chris Nims in the merger process, with the latter taking
up the security chief chair of the new umbrella entity, Oath.
Security is certainly now being generally pushed up the C-suite agenda for all
organizations handling EU data as a consequence of GDPR concentrating minds on much more sizable legal liabilities.
The regulation data
protection by design requirements also mean privacy considerations need to be baked into the data processing lifecycle, ergo policies and
processes must be in place, alongside strong IT governance and security measures, to ensure compliance with the law — with the idea being
to shrink the ability for attackers to intrude as happened so extensively in the Yahoo breaches.
Under the GDPR and the new Data Protection
Act 2018, individuals have stronger rights and more control and choice over their personal data
If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers& personal data, they may find
customers taking their business elsewhere,& addedDipple-Johnstone.
Earlier this year the ICO issued a larger fine for a 2015 hack of
Carphone Warehouse which compromised data of more than 3M people, and also included historical payment card details for a subset of the
