THE DATA PROTECTION Commission has finished its investigation of a huge data breach by Yahoo.
The data breach was initially notified to the DPC on 22 September 2016 and the DPC began an investigation into what happened as Yahoo! EMEA Limited (Yahoo – since renamed Oath (EMEA) Limited) was a data controller.
The data breach ranks as one of the largest breaches to impact EU citizens, and affected approximately 39 million European users. It is the largest breach which has ever been notified to and investigated by the DPC.
The DPC has now established that the breach dated back to 2014. It said that a separate breach dating back to 2013 was not investigated by the DPC because, at the time the breach occurred, Yahoo was not a data controller within the meaning of the Data Protection Acts 1988 and 2003 and therefore Yahoo was not subject to the jurisdiction of the DPC.
Its investigation focused mainly on assessing the technical security and organisational measures Yahoo had in place at the time of the data breach. It also analysed Yahoo’s response to the data breach.
The investigation assessed whether there were potential areas in which Yahoo could improve its protection of individuals’ data protection rights.
The breach was reported to the DPC in September 2016 and involved the unauthorised copying and taking, by one or more third parties, of material contained in approximately 500 million user accounts from Yahoo! Inc infrastructure in 2014.
At the time, Yahoo EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with Yahoo Inc acting as its data processor.
The DPC found:
- Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law and as given effect or further effect in Irish law
- Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by Yahoo. Those policies did not adequately take into account Yahoo’s obligations under data protection law
- Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law.
The DPC has now notified Yahoo that it requires it to take specified and mandatory actions within defined time periods. It says it will be closely supervising Yahoo’s timely compliance with these actions.
The actions include that Yahoo should ensure that all data protection policies which it uses and implements take account of the applicable data protection law, and that such policies are reviewed and updated at defined regular intervals.
The DPC has directed Yahoo to update its data processing contracts and procedures associated with such contracts to comply with data protection law.
It has also directed the company to monitor any data processors which it engages for compliance with data protection law on an ongoing basis.
The DPC says it will be engaging closely with Yahoo to monitor the implementation of these actions and if necessary will issue enforcement notices to secure compliance. It will also continue to actively monitor Oath EMEA’s ongoing data processing operations to ensure those operations comply with the new legal framework of the General Data Protection Regulation.