News have broken out regarding another fine in the size of £250,000 for Yahoo because of a delayed data leak disclosure which happened back in 2014.
The breach has resulted in the successful theft of a total of 515,121 users, located in UK. The data breach has resulted in e-mail addresses, phone numbers, names, birth dates, passwords and encrypted as well as non-encrypted security questions to be stolen by hackers. Yahoo has responded to the incident by putting the blame to state-sponsored attacks, however has not specified any concrete country to be involved in the attacks. Two years later, they have disclosed the data breach itself.
The delayed data breach reportedly gave valuable time to the cyber-criminals to proceed doing what is for their best interest when it comes to user data, and the UK users’ whose data has been stolen have not been aware of that, during this time.
Will GDPR Save Yahoo?
James Dipple – Johnstone, the Deputy Commissioner of operations has carried out an investigation which at the time was under the Data Protection Act 1998 and the result of it is that Yahoo has “failed to prevent unauthorized access to the personal data of little more than 500 million international users. From what is known so far, exactly 515,121 accounts belonged to UK residents who Yahoo has failed to protect under the UK law. Furthermore, according to the deputy commissioner Yahoo had appropriate time to react and since they manage a lot of data, they had the means to implement protection measures as well, during that time.
But even though the ICO has presented Yahoo a solid fine, they may have been in luck, because of one thing – GDPR. When presented, the fine was limited to UK customers who have been affected, however, with General Data Protection Regulation laws being active, the fines are much more solid, because now users have more control over their data which is collected. So Yahoo may have evaded an even bigger penalty because of this.
The company’s lean notifying has resulted in billions of accounts which were hacked back in the distant year of 2013, by what Yahoo again regarded as a state-sponsored attack. The company then has stated that several different third-parties had access to the data of the company and after an investigation was made by Yahoo itself as well as other external investigators, they came to a conclusion that the purpose of the attack was over 1 billion user accounts, which if reviewed by GDPR laws could have burried the company.
This massive hack followed the reported 500 million accounts which were compromised which was also regarded by the company to be conducted as a result of state sponsoring. Yahoo was fined by SEC to pay a $35 million dollars fine for faiing to disclose this theft and it seems that they still keep “paying for their sins”.
According to Dipple-Johnstone, the companies need to be more aware of such threats becoming reality and they need to go to great extends to protect this data if they want to successfully manage it according to law. So far, we have not seen a big scandal for companies being fined according to GDPR, but it very real that this could happen in the future and if so, companies risk much more than they did before.