“They didn’t wait for anything”: Yahoo will be fined £ 250k for breaking the old rules for working with PD

    The other day, the Office of the British Information Commissioner fined Yahoo for failing to comply with the 1998 Data Protection Act. The reason was the leakage of personal data of 500 thousand British citizens, which occurred in 2014. We talk about this situation.


    / Flickr / Stock Catalog / CC BY

    How did it happen


    In 2014, the attackers hacked Yahoo servers and stole the credentials of half a million users, including phone numbers, dates of birth, passwords, account recovery questions and answers to them. It became known about the theft after the person under the nickname Peace, known for “draining” the data of the users of Myspace and LinkedIn, began to openly sell the Yahoo database for just 3 bitcoins. The ad appeared on Darknet in 2016, but the attacker said that he had stolen some of the data back in 2012 and had previously sold them in secret.

    During the investigation, which is also attracted the FBI, it was found out that Yahoo learned about breaking immediately after the incident (in late 2014), but preferremain silent until September 2016. According to the new regulation (GDPR), organizations will no longer be able to hide leaks from the public for so long. Articles 33 and 34 of the new regulation oblige companies to notify supervisors and owners of PD within 72 hours after a leak is discovered. For non-compliance with this rule, the GDPR provides for multimillion-dollar fines (Article 83 , paragraph 4).

    In the US, the deadline was also reduced for notification. For example, in Coloradofrom September of this year, all organizations will be required to report a data leak within 30 days (the shortest time in all states). In 2017, another 8 states updated data breach notification policies. The average (in the US) data breach period is 45 days.

    In the case of Yahoo, the company is accused of being:

    • could not ensure the safety of data 515 121 users;
    • did not bring the processing of PD in accordance with the regulations;
    • for a long time did not report detected "holes" and leakage.

    As a result, the Office of the British Information Commissioner decided that Yahoo had violated the seventh rule of part one of DPA 1998, which states “the need to take appropriate technical and organizational measures to prevent unauthorized or unlawful processing of personal data, as well as their accidental loss, damage and deletion ". According to section 55A DPA 1998, the maximum fine that must be paid in this case is 500 thousand pounds sterling. Despite the fact that the Office took into account the mitigating circumstances (listed on paragraph 12 in paragraph 44 of the rulings on the Yahoo case, among which the commissioner highlighted the complexity of the cyber attack, the company's willingness to cooperate with government officials and others), there is no way out of the company's fine.

    Similar cases


    A similar incident occurred with the British company TalkTalk, which was hacked in October 2015. The attackers gained access to personal information of 150 thousand provider customers, including 15 thousand people to confidential financial data.

    As a way of hacking, the criminals chose the introduction of SQL-code, and a representative of the Office noted that methods of protection against attacks of this type have long been developed. In addition, prior to a major “sink”, TalkTalk received 2 “warnings” - attacks in July and September 2015, which exploited a similar vulnerability. Therefore, the Office considered that TalkTalk "could have prevented the attack if they had taken basic steps to protect customer data" and exposed the company to a fine of £ 400k.

    The same amount was fined and retailer Carphone Warehouse, headquartered in London. The company's victims were 3 million customers: cybercriminals gained access to their names, addresses, telephone numbers, dates of birth, marital status and credit card payment history.

    The reason for the data breach was outdated software. The investigation also revealed that the company did not conduct standard testing of security systems. As in the case of Yahoo, the Office of the British Information Commissioner regarded such negligence as a serious violation of the seventh rule of the DPA 1998 and exposed the Carphone Warehouse penalty close to the maximum.

    What's next


    James Dipple-Johnstone, Deputy Commissioner for Operations, ICO, in a blog post on the Yahoo case, notes that people trust companies with their data in the hope that their personal information will not fall into the hands of third parties . However, not all companies are serious about protecting their customers' data. In such situations, representatives of the law are forced to take the case.



    / Flickr / Willi Heidelbach / CC BY.

    If organizations are not able to provide adequate protection for their clients' personal data, they may look for work somewhere outside the EU, the deputy commissioner said.

    The Office understands that cyber attacks will continue to happen, and the methods of cybercriminals will become even more sophisticated, but they require organizations to make maximum efforts to protect the data of their clients.

    As British Information Protection Commissioner Elizabeth Denham stresses , “companies must do more than just close the door. They must hang a lock on it and constantly check it. They must also remember that it is useless to lock the door, leaving the key under the rug. ”

    PS What else do we write in the 1cloud corporate blog:



    Also popular now: