Home / News & Analysis / UK watchdog issues $330k fine for Yahoo’s 2014 data breach

UK watchdog issues $330k fine for Yahoo’s 2014 data breach

Another fallout from the massive Yahoo data breach that dates back to 2014: The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998.

Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users.

Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR, which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case… ).

The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller.

And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”.

Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k.

And given Verizon was able to knock $350M off the acquisition price of Yahoo on account of a pair of massive data breaches, well, it’s not going to be too concerned with the regulatory sting here.

Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo.

An Oath spokesman told us the company does not comment directly on regulatory actions — but pointed to several developments since Yahoo was acquired, including the doubling in size of the global security organization; the creation in March of a cybersecurity advisory board; and the relaunch in April of an integrated bug bounty program.

Also, as we reported last year, Yahoo’s chief information security officer, Bob Lord — who was in charge at the time the breach was unearthed — lost out to AOL’s Chris Nims in the merger process, with the latter taking up the security chief’s chair of the new umbrella entity, Oath.

Security is certainly now being generally pushed up the C-suite agenda for all organizations handling EU data as a consequence of GDPR concentrating minds on much more sizable legal liabilities.

The regulation’s data protection by design requirements also mean privacy considerations need to be baked into the data processing lifecycle, ergo policies and processes must be in place, alongside strong IT governance and security measures, to ensure compliance with the law — with the idea being to shrink the ability for attackers to intrude as happened so extensively in the Yahoo breaches.

“Under the GDPR and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere,” added Dipple-Johnstone.

Earlier this year the ICO issued a larger fine for a 2015 hack of Carphone Warehouse which compromised data of more than 3M people, and also included historical payment card details for a subset of the affected users.

Read more

Check Also

Facebook’s new AI research is a real eye-opener

There are plenty of ways to manipulate photos to make you look better, remove red eye or lens flare, and so on. But so far the blink has proven a tenacious opponent of good snapshots. That may change with research from Facebook that replaces closed eyes with open ones in a remarkably convincing manner. It’s far from the only example of intelligent “in-painting,” as the technique is called when a program fills in a space with what it thinks belongs there. Adobe in particular has made good use of it with its “context-aware fill,” allowing users to seamlessly replace undesired features, for example a protruding branch or a cloud, with a pretty good guess at what would be there if it weren’t. But some features are beyond the tools’ capacity to replace, one of which is eyes. Their detailed and highly variable nature make it particularly difficult for a system to change or create them realistically. Facebook, which probably has more pictures of people blinking than any other entity in history, decided to take a crack at this problem. It does so with a Generative Adversarial Network, essentially a machine learning system that tries to fool itself into thinking its creations are real. In a GAN, one part of the system learns to recognize, say, faces, and another part of the system repeatedly creates images that, based on feedback from the recognition part, gradually grow in realism. From left to right: “Exemplar” images, source images, Photoshop’s eye-opening algorithm, and Facebook’s method. In this case the network is trained to both recognize and replicate convincing open eyes. This could be done already, but as you can see in the examples at right, existing methods left something to be desired. They seem to paste in the eyes of the people without much consideration for consistency with the rest of the image. Machines are naive that way: they have no intuitive understanding that opening one’s eyes does not also change the color of the skin around them. (For that matter, they have no intuitive understanding of eyes, color, or anything at all.) What Facebook’s researchers did was to include “exemplar” data showing the target person with their eyes open, from which the GAN learns not just what eyes should go on the person, but how the eyes of this particular person are shaped, colored, and so on. The results are quite realistic: there’s no color mismatch or obvious stitching because the recognition part of the network knows that that’s not how the person looks. In testing, people mistook the fake eyes-opened photos for real ones, or said they couldn’t be sure which was which, more than half the time. And unless I knew a photo was definitely tampered with, I probably wouldn’t notice if I was scrolling past it in my newsfeed. Gandhi looks a little weird, though. It still fails in some situations, creating weird artifacts if a person’s eye is partially covered by a lock of hair, or sometimes failing to recreate the color correctly. But those are fixable problems. You can imagine the usefulness of an automatic eye-opening utility on Facebook that checks a person’s other photos and uses them as reference to replace a blink in the latest one. It would be a little creepy, but that’s pretty standard for Facebook, and at least it might save a group photo or two.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.