Hackers have stolen information from half a billion Yahoo user accounts worldwide, including 8 million UK user accounts, in what is believed to be the largest and most high profile publicly declared data security breach in history. The incident serves as a reminder to organisations to urgently review their data security processes and procedures in line with legal requirements.
The incident occurred in late 2014 but only came to light in August 2016 when a hacker was discovered selling Yahoo user account information online.
The stolen information comprised: user names; e-mail addresses; telephone numbers; dates of birth; and encrypted and unencrypted security questions and answers. It is believed that financial information was not included.
What has Yahoo done about it?
Yahoo has notified potentially affected users and advised them to change their passwords if they have not done so in the last two years and to also change their passwords and security questions for other third party services and accounts for which the same credentials are used.
It has also recommended that users review their accounts for suspicious activity, such as unsolicited e-mails requesting personal information or containing links or attachments.
What does the law say?
The Data Protection Act 1998 ("DPA") requires organisations to put in place physical and technological measures to ensure the security of the personal information that they hold. The level of security required is based on: the current state of technology; the cost of measures compared to the size of the organisation; the likely harm arising from loss; and the nature of the personal information held.
Where users are required to create usernames and passwords to buy or access goods or services online or to register with a website, a security measure could be requiring users to change their passwords every two years.
Alternatively, mandatory two factor authentication could be used whereby users input their username, password and a unique code sent to their mobile device via text message or app when accessing online services. Yahoo two factor authentication is optional but given the highly personal and sensitive information likely to be stored within e-mail accounts, two factor authentication should at least be mandatory for all webmail providers.
Does the law require organisations to publicise breach incidents?
Other than in the telecommunications sector, the DPA does not require organisations to report incidents to the Information Commissioner’s Office (“ICO”) or affected individuals.
But this is all set to change from 25 May 2018 with the EU General Data Protection Regulation. The Regulation requires organisations to report incidents to national data protection regulators within 72 hours of becoming aware of them (with some exceptions). The information to be reported includes: the nature of the incident; the number of affected individuals; the categories of information concerned; the likely consequences of the incident; and how the organisation has and proposes to deal with it. Affected individuals must be informed without undue delay in the case of high risk incidents. Failure to report could lead to a fine of up to €20m or 4% of global turnover, whichever is higher.
It is unlikely that the UK will leave the EU before May 2018 and will be required to implement the Regulation into UK law. In any case, the DPA is comparatively outdated and updates will be needed in line with the Regulation to ensure that the UK remains up to speed and competitive with the EU.
What will happen to Yahoo now?
Yahoo will face the wrath of data protection regulators worldwide, with six figure fines likely where personal information has been lost or stolen from user accounts. Had the incident occurred after May 2018, a seven or eight figure fine within the EU would have been likely under the Regulation.
Both the ICO and the Irish Data Protection Commissioner are making urgent enquiries with Yahoo.
An individual is suing Yahoo in a Californian federal court (on behalf of all Yahoo users in the United States), claiming that Yahoo has been grossly negligent.
Individuals based in the UK may also sue Yahoo for compensation if they have suffered damage or distress as a consequence of the incident. This is more likely where their personal information has been lost or stolen.
What should our organisation do now?
To prevent your organisation being the next “Yahoo”, use the incident as an urgent call to audit your online security to ensure it remains viable in the current state of online threats, given your financial and human resources and available technology.
Review and update your data security and breach incident response policies and procedures to put your organisation in a robust position if and when it is faced with an incident.
If an incident occurs, be ready to inform affected individuals, reassure them that you have been proactive in minimising the damage and advise them to remain vigilant of any suspicious activity.
Doing so will help reduce the size of an ICO fine and protect your organisation’s reputation and public image – something that Yahoo might never recover from.