Yahoo data breach - 8 million UK users affected

State-sponsored hackers, whose origin is not yet verified, have stolen data relating to 500 million Yahoo users, and this has lessons for the forthcoming GDPR legislation, to come into effect in May 2018.

The Yahoo breach is believed to have occurred in late 2014 but was first suspected in August this year when a hacker on the dark web claimed to have access to 200 million Yahoo accounts.

As it transpired the situation was even worse, with 500 million accounts compromised. Personal data like telephone numbers and email addresses were stolen.

The question is why it took so long for the news to become public.

UK Information Commissioner, Elizabeth Denham, said: “The vast number of people affected by this cyber-attack is staggering and demonstrates just how severe the consequences of a security hack can be.

“The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today.

“We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.”

This hack occurred in the USA but serves as a reminder to all organisations gearing up for the General Data Protection Regulation (GDPR) of their obligations to report a breach. Furthermore, EU citizens’ data was also stolen, so the GDPR would apply to Yahoo when it comes into force in 2018.

Under the GDPR, organisations must alert the national data protection authority of a data breach ‘without undue delay and within 72 hours’. In the initial report an organisation will need to describe the number of data subjects at risk, the types of data breached, the possible consequences and how they propose to mitigate any effects.

Delaying reporting a data breach for a prolonged period of time would be a clear violation of the GDPR and a betrayal of consumer rights according to the legislation.

The GDPR includes sanctions of up to €20 million or 4% of global turnover, whichever is higher. Large multinationals like Yahoo need to ensure that their data breach management process is robust and compliant with the GDPR in the future.