Yahoo has been fined €250,000 (roughly $334,000) by UK Watchdog data protection. The fine comes from the 2014 data breach Yahoo experienced and failed to disclose for two years. The 2014 attack was ‘state-sponsored’ and politically motivated. This breach has been the most sizable breach worldwide.
Yahoo was breached in late 2014. The attack affected more than 8 million accounts within the UK and half a billion worldwide accounts.
The PII accessed includes names, emails, phone numbers, passwords, encrypted and unencrypted security questions and answers. Luckily no credit card details were within the system so no financial information was breached.
Breaches happen, we get it. What is highly concerning and the source of discontent with many is the time that Yahoo took to disclose the breach. Adding fuel to the fire is the evidence that Yahoo knew of the breach for years before actually disclosing it. This means that Yahoo deliberately withheld data breach information.
In 2014 when the breach took place, the Data Protection Act 1998 was the regulation organizations must abide to.
Principle 7 of Data Protection Act 1998 clearly states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The more important the data, the more care that must be taken by the data controller.”
Yahoo was required to give the appropriate security measures to secure the data of billions, and failed to do so as well as disclose the breach.
Since Yahoo decided to disclose their breach in 2016, they have been experiencing a wave of lawsuits and backlash. Yahoo has accumulated 23 lawsuits over the breach and its predicted that more will follow.
What if GDPR had been in place?
Yahoo is fortunate that this cyber security scandal did not occur under the regulation of GDPR. There are two factors that would have amplified the scrutiny should this have happened after May 25, 2018.
GDPR would have given a significant fine to Yahoo. Yahoo would have been subjected to pay anything from $80 to $160 million based on several factors the GDPR would have investigated and considered, including culpability.
The lag time between data breach occurence and disclosure would have been another notch against Yahoo. GDPR requires data breach disclosure within 72 hours of breach discovery. In Yahoo’s case, they waited two years to reveal the breach. GDPR would have had a field day fining Yahoo if the timeline would have been different.