Oath must swear to comply with GDPR after massive Yahoo data breach

8 Jun 2018

Oath sign at Yahoo’s former headquarters in California. Image: JHVEPhoto/Shutterstock

Yahoo’s new owner, Oath, escapes fine from Irish data watchdog for breach that affected 500m people, but it must tighten up its systems.

Ireland’s Data Protection Commission (DPC) has found against Yahoo in a data breach that affected the privacy of 500m people worldwide, including 39m EU citizens.

The investigation related to the data breach that occurred in 2014 and, since the EU’s General Data Protection Regulation (GDPR) only came into being in recent weeks, the DPC decided not to issue a fine.

‘It is the largest breach which has ever been notified to and investigated by the DPC’
– DATA PROTECTION COMMISSION

Also, in the intervening period, Yahoo was acquired by Verizon for $4.5bn and was merged with AOL to become Oath.

The DPC has instructed Oath to take specific actions, including updating Yahoo’s data processing contracts and procedures, to ensure they comply with EU law.

While no fine was issued, the case reveals the remit of the DPC in the broader digital world when you consider that Ireland is home to the international headquarters of so many internet giants, from Facebook to Microsoft and Google, to name a few.

Data heist almighty

“The breach which was reported to the DPC in September 2016 involved the unauthorised copying and taking, by one or more third parties, of material contained in approximately 500m user accounts from Yahoo Inc infrastructure in 2014,” the DPC said.

“At the relevant time, Yahoo EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with Yahoo Inc acting as its data processor.

“The data breach ranks as one of the largest breaches to impact EU citizens, affecting approximately 39m European users. It is the largest breach which has ever been notified to and investigated by the DPC.

“The investigation of this breach was afforded the highest priority by the DPC with significant resources committed to the investigation over an extended period of time,” the DPC said.

The DPC ruled that Yahoo’s oversight of its data processing operations did not meet the standard required by EU and Irish law.

It said Yahoo relied on global policies that did not take into account its legal responsibilities, adding that it failed to take sufficient reasonable steps to comply with data protection law.

“Based on its findings, the DPC has notified Yahoo that it requires it to take specified and mandatory actions to bring its data processing into compliance with EU data protection law and as given effect or further effect in Irish law.

“These actions include that Yahoo should ensure that all data protection policies which it uses and implements take account of the applicable data protection law and that such policies are reviewed and updated at defined regular intervals.”

The DPC said that it will be engaging closely with Oath to monitor the enforcement of these actions and ensure that, going forward, its data processing operations comply with the new legal framework of GDPR.

Oath sign at Yahoo’s former headquarters in California. Image: JHVEPhoto/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com