Hackers have stolen information from half a billion Yahoo user accounts worldwide, including 8 million UK user accounts, in what is believed to be the largest and most high profile publicly declared data security breach in history. The incident serves as a reminder to organisations to urgently review their data security processes and procedures in line with legal requirements.
The incident occurred in late 2014 but only came to light in August 2016 when a hacker was discovered selling Yahoo user account information online.
The stolen information comprised: user names; e-mail addresses; telephone numbers; dates of birth; and encrypted and unencrypted security questions and answers. It is believed that financial information was not included.
What has Yahoo done about it?
Yahoo has notified potentially affected users and advised them to change their passwords if they have not done so in the last two years and to also change their passwords and security questions for other third party services and accounts for which the same credentials are used.
It has also recommended that users review their accounts for suspicious activity, such as unsolicited e-mails requesting personal information or containing links or attachments.
What does the law say?
The Data Protection Act 1998 ("DPA") requires organisations to put in place physical and technological measures to ensure the security of the personal information that they hold. The level of security required is based on: the current state of technology; the cost of measures compared to the size of the organisation; the likely harm arising from loss; and the nature of the personal information held.
Where users are required to create usernames and passwords to buy or access goods or services online or to register with a website, a security measure could be requiring users to change their passwords every two years.
Alternatively, mandatory two factor authentication could be used whereby users input their username, password and a unique code sent to their mobile device via text message or app when accessing online services. Yahoo two factor authentication is optional but given the highly personal and sensitive information likely to be stored within e-mail accounts, two factor authentication should at least be mandatory for all webmail providers.
Does the law require organisations to publicise breach incidents?
Other than in the telecommunications sector, the DPA does not require organisations to report incidents to the Information Commissioner’s Office (“ICO”) or affected individuals.
But this is all set to change from 25 May 2018 with the EU General Data Protection Regulation. The Regulation requires organisations to report incidents to national data protection regulators within 72 hours of becoming aware of them (with some exceptions). The information to be reported includes: the nature of the incident; the number of affected individuals; the categories of information concerned; the likely consequences of the incident; and how the organisation has and proposes to deal with it. Affected individuals must be informed without undue delay in the case of high risk incidents. Failure to report could lead to a fine of up to €20m or 4% of global turnover, whichever is higher.
It is unlikely that the UK will leave the EU before May 2018 and will be required to implement the Regulation into UK law. In any case, the DPA is comparatively outdated and updates will be needed in line with the Regulation to ensure that the UK remains up to speed and competitive with the EU.
What will happen to Yahoo now?
Yahoo will face the wrath of data protection regulators worldwide, with six figure fines likely where personal information has been lost or stolen from user acc