Home / News & Analysis / UK watchdog issues $330k fine for Yahoo’s 2014 data breach

UK watchdog issues $330k fine for Yahoo’s 2014 data breach

Another fallout from the massive Yahoo data breach that dates back to 2014: The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998.

Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users.

Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR, which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case… ).

The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller.

And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”.

Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k.

And given Verizon was able to knock $350M off the acquisition price of Yahoo on account of a pair of massive data breaches, well, it’s not going to be too concerned with the regulatory sting here.

Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo.

An Oath spokesman told us the company does not comment directly on regulatory actions — but pointed to several developments since Yahoo was acquired, including the doubling in size of the global security organization; the creation in March of a cybersecurity advisory board; and the relaunch in April of an integrated bug bounty program.

Also, as we reported last year, Yahoo’s chief information security officer, Bob Lord — who was in charge at the time the breach was unearthed — lost out to AOL’s Chris Nims in the merger process, with the latter taking up the security chief’s chair of the new umbrella entity, Oath.

Security is certainly now being generally pushed up the C-suite agenda for all organizations handling EU data as a consequence of GDPR concentrating minds on much more sizable legal liabilities.

The regulation’s data protection by design requirements also mean privacy considerations need to be baked into the data processing lifecycle, ergo policies and processes must be in place, alongside strong IT governance and security measures, to ensure compliance with the law — with the idea being to shrink the ability for attackers to intrude as happened so extensively in the Yahoo breaches.

“Under the GDPR and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere,” added Dipple-Johnstone.

Earlier this year the ICO issued a larger fine for a 2015 hack of Carphone Warehouse which compromised data of more than 3M people, and also included historical payment card details for a subset of the affected users.

Read more

Check Also

Cisco’s $2.35 billion Duo acquisition front and center at earnings call

When Cisco bought Ann Arbor, Michigan security company, Duo for a whopping $2.35 billion earlier this month, it showed the growing value of security and security startups in the view of traditional tech companies like Cisco. In yesterday’s earnings report, even before the ink had dried on the Duo acquisition contract, Cisco was reporting that its security business grew 12 percent year over year to $627 million. Given those numbers, the acquisition was top of mind in CEO Chuck Robbins’ comments to analysts. “We recently announced our intent to acquire Duo Security to extend our intent-based networking portfolio into multi- cloud environments. Duo’s SaaS delivered solution will expand our cloud security capabilities to help enable any user on any device to securely connect to any application on any network,” he told analysts. Indeed, security is going to continue to take center stage moving forward. “Security continues to be our customers number one concern and it is a top priority for us. Our strategy is to simplify and increase security efficacy through an architectural approach with products that work together and share analytics and actionable threat intelligence,” Robbins said. That fits neatly with the Duo acquisition, whose guiding philosophy has been to simplify security. It is perhaps best known for its two-factor authentication tool. Often companies send a text with a code number to your phone after you change a password to prove it’s you, but even that method has proven vulnerable to attack. What Duo does is send a message through its app to your phone asking if you are trying to sign on. You can approve if it’s you or deny if it’s not, and if you can’t get the message for some reason you can call instead to get approval. It can also verify the health of the app before granting access to a user. It’s a fairly painless and secure way to implement two-factor authentication, while making sure employees keep their software up-to-date. Duo Approve/Deny tool in action on smartphone. While Cisco’s security revenue accounted for a fraction of the company’s overall $12.8 billion for the quarter, the company clearly sees security as an area that could continue to grow. Cisco hasn’t been shy about using its substantial cash holdings to expand in areas like security beyond pure networking hardware to provide a more diverse recurring revenue stream. The company currently has over $54 billion in cash on hand, according to Y Charts. Cisco spent a fair amount money on Duo, which according to reports has $100 million in annual recurring revenue, a number that is expected to continue to grow substantially. It had raised over $121 million in venture investment since inception. In its last funding round in September 2017, the company raised $70 million on a valuation of $1.19 billion. The acquisition price ended up more than doubling that valuation. That could be because it’s a security company with recurring revenue, and Cisco clearly wanted it badly as another piece in its security solutions portfolio, one it hopes can help keep pushing that security revenue needle ever higher.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.