Yahoo escapes Irish fine in biggest ever email breach
Yahoo has escaped a fine from the Irish Data Protection Commissioner after the watchdog found against it for a giant email data breach that affected 500 million Yahoo email users.
Instead, the tech giant has been ordered to change its data security and processing systems, on pain of court enforcement.
The breach occurred in 2014 and was reported to the office of the Irish Data Protection Commissioner (DPC) in September 2016, when Yahoo says it became aware of it. Some 39 million EU citizens were affected by the email breach, with 500 million affected overall.
The DPC's office said it will issue no fine or other punitive measure, because the events took place before the introduction of the General Data Protection Regulation (GDPR), which came into force last month.
If the same event occurred now, a company found to be in breach would face fines of up to €20m or 4pc of global turnover under new penalties introduced by the GDPR. Yahoo's European headquarters are in Dublin's Point Village in the docklands.
"The DPC has notified Yahoo that it requires it to take specified and mandatory actions within defined time periods," said a spokesman for the DPC.
"The DPC will be closely supervising Yahoo's timely compliance with these required actions."
According to the DPC, the breach involved the unauthorised copying and taking, "by one or more third parties", of material contained in approximately 500 million user accounts from Yahoo in 2014. It is the largest breach which has been investigated by the DPC, the spokesman said.
The DPC added that a separate breach dating back to 2013 was not investigated because, at the time the breach occurred, "Yahoo EMEA was not a data controller within the meaning of the Data Protection Acts and therefore Yahoo EMEA was not subject to the jurisdiction of the DPC".
Nevertheless, the company fell short of data protection law, according to the regulator.
"Yahoo's oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law and as given effect or further effect in Irish law," according to the watchdog's assessment of the tech company's behaviour.
"Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by Yahoo. Those policies did not adequately take into account Yahoo's obligations under data protection law. Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law."
The DPC went on to say it has ordered Yahoo to take "specified and mandatory actions to bring its data processing into compliance with EU data protection law". These actions include that Yahoo "should ensure that all data protection policies which it uses and implements take account of the applicable data protection law and that such policies are reviewed and updated at defined regular intervals".
The DPC also directed Yahoo "to update its data processing contracts and procedures associated with such contracts to comply with data protection law". The move comes as companies try to integrate new data control requirements contained in the GDPR.