Four years after the fact, Yahoo is still facing penalties for the 2014 data breach that affected 500 million of its users worldwide. Many will remember the breach as one of the most significant global incidents reported so far, exposing user information such as names, email addresses, telephone numbers, passwords and even security questions. Yahoo publicly disclosed the incident in 2016, two years after the breach, during Verizon’s ongoing multi-billion dollar bid to acquire Yahoo. The revelation caused the two parties to agree to shave $350 million from the acquisition deal.
Because of the incident's timeline and impact on over 500,000 users from the United Kingdom, the UK’s Information Commissioner’s Office (ICO) investigated Yahoo under its 1998 Data Protection Act (DPA) and has fined them £250,000.
The ICO found multiple failings on Yahoo’s part: failure to comply with the protection standards, failure to ensure the data would be safe from exfiltration, and failure to have the proper monitoring systems in place to protect employee’s access to data. Administrators in the ICO also criticized the company's long-term security “inadequacies” that likely contributed to the breach.
The ICO’s fine may seem trivial, especially compared to the $35 million penalty that the United States’ Security and Exchange Commission imposed on Yahoo for the same incident, but the UK’s DPA of 1998 caps its fines at £500,000. The new Data Protection Bill of 2018 is an updated version of the DPA that is more aligned with the EU’s General Data Protection Regulation, with higher noncompliance fines and stricter security standards.
When a data breach similar to the 2014 Yahoo breach involves millions of users across regions, many countries will be looking for answers and levying penalties. Aside from commissions in the US and the UK, the Irish Data Protection Commissioner (DPC) also concluded an investigation on the 2014 breach and found Yahoo liable. Ireland is the lead European regulator for Yahoo because the company headquarters is in Dublin. Based on its findings, the DPC ordered the company to update its data processing systems and be compliant with applicable data protection laws. Reports say that fines will not be issued because the events took place before the General Data Protection Regulation (GDPR) was enacted.
Mitigation and solutions
Updated data protection regulations impose a new set of standards for all enterprises handling users’ personal data. They have to give users more control over their personal information, and provide stronger security for the data they collect. The key to this is implementing privacy by design and integrating security measures at every stage of operations to stay ahead of threats and hazards.
For data processors, it is vital to employ state-of-the-art security solutions, make sure third-party suppliers are also secured, and also conduct regular risk assessment to spot potential security holes. For more information on building better data protection, view our guide. And for more information on the GDPR, which is setting the standard for other countries’ regulations, visit our GDPR resource page. Compliance with local and regional regulations is a good first step towards better data-protection for enterprises, as well as an opportunity to update and enhance data management policies and techniques.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).