Sunday 22 September 2019

Yahoo's credibility is in shreds but will our data protection chief act?

Another angle

It remains to be seen how Irish data protection commissioner Helen Dixon will now address matters such as the Yahoo breach. Photo: Robbie Reynolds
It remains to be seen how Irish data protection commissioner Helen Dixon will now address matters such as the Yahoo breach. Photo: Robbie Reynolds
Adrian Weckler

Adrian Weckler

The Irish data protection commissioner, Helen Dixon, probably winced when Yahoo notified her office in 2016 of a 2014 security breach affecting 500 million people, then thought to be the biggest hack in history.

How she then must have scowled when the company came back later that year to say that, in fact, a billion Yahoo accounts had been compromised in 2013.

So what must she be thinking now?

This week, Yahoo admitted that all three billion of its email accounts were hacked in 2013. In what must go down as the biggest shambles in recent security history, the company says it underestimated its initial tally of the 2013 breach.

Names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers (some of them unencrypted) were stolen.

The mind boggles at the incompetence.

But it is going to be very interesting to see what sort of regulatory consequences arise for Yahoo. If this were October 2018, it is possible that the company - which is now owned by the US communications firm Verizon through its Oath subsidiary - would face a monster fine. That's because the new General Data Protection Regulation (GDPR) brings with it fines of up to €20m or 4pc of annual global turnover.

Right now, though, it's conceivable that it will merely get away with a set of stern recommendations from the Irish office.

This is usually what happens to companies investigated by the DPC for data breaches. Our legislative enforcement climate is arguably very lax.

In its most recent annual report, the privacy watchdog outlined a number of cases with data breaches where little or no action was taken.

In one case, an online retailer exposed its customers' credit card transactions for almost eight weeks without knowing it. The credit card transactions were recorded and stored by hackers. However, the retailer did not face punitive action.

There were also cases recorded of breaches perpetrated by Bank Of Ireland and Permanent TSB, both of which were found to have inappropriately shared customer information in individual cases. Neither faced punitive action.

None of these can be even remotely compared to what has transpired with Yahoo. And, to be fair to the DPC, it was involved in nine criminal prosecutions in the last 12-month period measured.

But it will be fascinating to see the extent to which Helen Dixon's office will now address matters such as the breach of three billion email addresses.

It will also be interesting to see how the rest of the world deals with what is surely one of the most controversial acts of security negligence in corporate history.

Some of that negative attention may fall on former CEO Marissa Mayer. Appointed in 2012, Mayer's five-year tenure at the helm of the company is starting to look like one of the worst in recent tech times.

It now looks even more tainted in hindsight. Yahoo-watchers will recall that she argued with the company's then chief security officer, Alex Stamos, over resources for security. She feared that the extra measures could lead to email users choosing rival services, such as Gmail. The paucity in proper security measures led to Stamos's departure to Facebook in 2015. The following year, Yahoo had to start admitting to the world that it had made an absolute pig's ear of securing their email accounts.

But not even the company's biggest critics could have predicted such an escalation in the damage caused.

As an aside, you may be thinking: three billion email accounts? Are there really that many people using Yahoo?

It takes quite a long time for an email address to completely die. Many people keep old email addresses on life support to check in on old contacts or friends who haven't migrated over to newer systems.

I'm one of these people. My old Yahoo account was activated in the early 2000s, a time before social networks when Hotmail and Yahoo still ruled our online communication.

In fact, Yahoo is still one of the top 20 websites visited every day around the world. That means it remains a relative powerhouse in developing, delivering and selling online display ads. It's nowhere close to Google or Facebook in scale, but it still sells enough to pull in over €1bn every quarter, largely from ads. A big portion of that comes from search ads: Yahoo is still used by lots of people (probably the same ones using for other things) for basic web searches.

Yahoo has a recently refurbished building beside the Point Depot in Dublin's north docklands. There, it houses around 300 people who work in finance, HR and support roles. Not so long ago, the company had talked about possibly taking staff numbers up to 450. But recent events may cause the firm to alter course.

Indo Business

Also in Business