Lessons from the Yahoo data breach

Once again the headlines are dominated by news of another major breach, unsurprisingly it’s Yahoo data breach which has been made apparent.

What happened at Yahoo?

It’s a massive data breach, making Talk Talk, LinkedIn and Ashley Madison look tiny – 500 million records have been breached in what is being reported as a ‘state-sponsored’ hack with rumours of involvement from China, Korea or Russia. The breach occurred at some point in 2014 and impacts not just users of Yahoo, but potentially Sky and BT users as well.

Yahoo Data breach raises so many questions 

It is clear that this story will continue to run for many weeks and months. It raises so many questions; how much Yahoo knew? When did Yahoo found out? Why didn’t Yahoo recognise that a breach had occurred? And why do Yahoo think it was a state sponsored attack, given the data has found it’s way to the dark web?

I’m sure the new owners of Yahoo, the well respected communications company Verizon, will have many more questions.

Advice for Yahoo users after the data breach

For users of the services, who have had their data compromised, the advice is ‘change your email’ password. Once again, the onus for fixing the problem seems to fall on the shoulders of the individual. 

Hardly seems fair does it that a company which earns millions of dollars per year can pass the responsibility for resolving a problem that it created onto it’s users ?  The UK press has rumours of Yahoo being sued, but if true, it will undoubtedly take many years to pass through the courts. Even if a case is successful, will the end user receive compensation?

New data breach legislation is good news for the user

The good news is that legislation is due to be introduced in Europe in May 2018 called General Data Protection Regulation, or EU GDPR for short. Despite the BREXIT vote, the UK will still be a member of the EU at this point as Article 50 has not been invoked. Therefore the legislation will affect the UK and will continue to impact companies in the UK post BREXIT if they wish to store or process data about EU citizens.

Why is the Yahoo data breach it good news?

From May 2018, GDPR means individuals will have the right to be notified if their data is compromised. In the UK, companies will have to inform their data protection authority (ie. the Information Commissioners Office) within 72 hours of identifying a breach. Not two years as in the case of Yahoo.  Failure to do so could mean that the company will be fined up to €20 million Euros or 4% of revenue.  Directors will become accountable to not just their shareholders, but to the authorities and their customers for ensuring adequate data protection is in place. Whilst we would prefer that all organisations adopt a strategy to prevent breaches because it makes good business sense, perhaps the threat of large fines will help to encourage this.

What can you do to protect your business from a data breach 

As a first step, Boards need to make security of user data a priority and to ensure that it is on the agenda of meetings. The ICO has produced a helpful 12 Step Guide aimed at helping companies prepare for the new legislation which is only 18 months away.  Our own Cyber Security questionnaire provides organisations with a gap analysis.

The next 18 months will pass quickly – we recommend that you begin to prepare for the future, starting today.

Want to ask an expert? Gives us a call 01926 800710 or email info@riskevolves.com.