The Information Commissioner’s Office (ICO) has confirmed that it is talking to Yahoo about the reported billion account breach.
In a statement, Deputy Information Commissioner Simon Entwisle said that the “significant data loss” at Yahoo gives it further cause for concern. “We’d expect any formal investigation to be handled by US and European authorities, but the ICO will continue to make its voice heard on behalf of people affected in the UK,” he said.
“We are talking to Yahoo again today and we are in touch with the relevant international authorities to ensure the data protection interests of UK customers are considered.”
Jason Hart, VP and CTO for Gemalto’s data protection solutions, said that according to Gemalto’s Breach Level Index, over one billion records have been compromised in 2016 and using what it currently knows about this latest Yahoo breach, this would be the largest data breach of all time.
“What’s concerning about this breach is that Yahoo still hasn’t been able to confirm the source of the intrusion yet, and the fact that it took them over three years to discover a breach of this magnitude speaks to the amount of work we in the security industry still need to do,” he said. “If Yahoo, one of the largest tech companies in the world, is struggling with security, how can companies with fewer resources combat these bad actors?”
David Gibson, VP of strategy and market development at Varonis, said that incidents like this will only bolster the need for mandatory reporting in the General Data Protection Regulation, and also place a new burden on data controllers like Yahoo.
He said: “Under the GDPR, the IT security mantra is ‘always be monitoring’. You’ll need to spot unusual access patterns against files containing personal information, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues just like Yahoo.”
Jes Breslaw, EMEA director of strategy at Delphix said that had the GDPR already been in operation, then Yahoo could be facing a fine in the region of $200 million for its failures in due diligence.
“The challenge has always been that more robust security measures, such as masking both production and test data, are an expensive and complex task that organizations have avoided,” Breslaw said.
“In order to overcome this barrier and be prepared for a post GDPR world, then organizations need to start considering new technologies, such as data masking and data virtualization, that pseudonymize data once and guarantee that all subsequent copies have the same protective policies applied. This will future proof the business from costly data breaches and ensure compliance while improving agility and time-to-market.”