Irish Data Protection Commissioner finds against Yahoo in massive email breach
The Irish Data Protection Commissioner (DPC) has found against Yahoo for a 2014 data breach that affected 500m people and 39m EU citizens.
However, the watchdog’s offices said that it will issue no fine or other punitive measure, largely because the events took place before the introduction of the General Data Protection Regulation (GDPR), which came into force last month.
Instead, the DPC has ordered Yahoo to update its data processing systems.
Yahoo’s European headquarters are in Dublin’s Point Village in the docklands.
“The DPC has notified Yahoo that it requires it to take specified and mandatory actions within defined time periods,” said a spokesman for the DPC.
“The DPC will be closely supervising Yahoo’s timely compliance with these required actions.”
The spokesman said that the breach was reported to the DPC in September 2016. It involved the unauthorised copying and taking, “by one or more third parties”, of material contained in approximately 500 million user accounts from Yahoo in 2014. It is the largest breach which has ever been notified to and investigated by the DPC.
According to the DPC, the findings included the following:
- Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law and as given effect or further effect in Irish law.”
- Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by Yahoo. Those policies did not adequately take into account Yahoo’s obligations under data protection law.”
- Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law.”
The DPC went on to say that it has ordered Yahoo to take “specified and mandatory actions to bring its data processing into compliance with EU data protection law”.
These actions include that Yahoo “should ensure that all data protection policies which it uses and implements take account of the applicable data protection law and that such policies are reviewed and updated at defined regular intervals”.
The DPC also directed Yahoo “to update its data processing contracts and procedures associated with such contracts to comply with data protection law”.
The DPC said that it “will be engaging closely with Yahoo to monitor the quick and comprehensive implementation of these actions and if necessary will issue enforcement notices to secure compliance”.
The DPC added that a separate breach dating back to 2013 was not investigated because, at the time the breach occurred, “Yahoo EMEA was not a data controller within the meaning of the Data Protection Acts 1988 and 2003 and therefore Yahoo EMEA was not subject to the jurisdiction of the DPC”.