29 September 2016 - Post by:Charlotte Mullarkey
Once again we learn of a vast data breach – this time relating to Yahoo user details. This is perhaps the biggest breach yet discovered. And “discovered” is the worrying factor. What else is out there?
The Yahoo breach appears to have occurred several years ago – in 2014 – and was only revealed by Yahoo last week. The number of users affected look to be around 500 million – with more than 8 million UK user accounts being among them. The personal data involved may have included addresses, phone numbers, dates of birth and security questions and answers. Interestingly, Yahoo believes that a state-sponsored hacker was responsible.
Regulators in Ireland (where Yahoo has its European headquarters) and in the UK are seeking further information. The Irish Data Protection Commissioner is working with the US Federal Trade Commission to coordinate their respective enquiries.
The ICO has, unusually, commented on this data breach. Elizabeth Denham, the new UK Information Commissioner, said that “the vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be.” “We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data. People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find“.
This unusual step in providing comment on this particular case may be attributed to its scale or to concerns about the frequency of cyber attacks.
The ICO has, for some time, said that it expects to be made aware of serious breaches relating to personal data. It is now considered good practice to notify the competent Data Protection Authority before making a public statement to help minimise and manage the affect on the data subjects. In 2018, a mandatory requirement will be introduced under the GDPR.
It is unfortunately not difficult to imagine that companies could experience a cyber attack and not know anything about it. Reports suggest that Yahoo stumbled across this particular breach by chance, having investigated something else which led to a broader review of their systems. Cyber attackers spot vulnerabilities in new technologies and can often exploit them while avoiding detection. Attacks made through encrypted traffic, for example, may be difficult to detect unless technology is deployed to scan this traffic.
We are perhaps on the crest of the wave as cyber attacks become more common and increasingly sophisticated. IT security departments are, for the most part, well aware of the need to monitor the threats and continually upgrade their systems. Alongside this, companies need robust internal policies to detect and respond to any incident to minimise damage – both to the individuals affected and their own reputation.
It is hardly surprising that concern about cyber threats is front of mind for Boards around the world.