It was reported this week that the United Kingdom’s Information Commissioner – the person whose department is in charge of upholding the nation’s data privacy laws – has penalized Yahoo! UK Services Limited with the amount of £250,000.
The penalty is in response to the global data breach Yahoo experienced, and hid, for over two years. Approximately 500,000 accounts in the UK were affected.
Knowing what we do of the Yahoo breach, and keeping in mind that the ICO can issue a monetary penalty of up to £500,000, it sounds like a woefully inadequate amount. For example, the US’s SEC, the Securities and Exchange Commission, fined Yahoo $35 million, a little over 10 times the ICO’s penalty.
Data Breach Not the Issue?
According to cnet.com, Yahoo UK was not fined for the data breach. Apparently, what the ICO views as problematic is the long delay in notifying people of the data breach (two years!).
Which is crazy if it’s true.
There was no “delay.” Yahoo didn’t fail to alert users of the data breach “in a timely manner.” The company, for all intents and purposes, appears to have actively hid the data breach – which is the real scandal; data breaches involving hundreds of millions of people are not a rarity anymore, and neither is going public with the fact at the speed of molasses – of which not alerting affected users is a key component. To fine Yahoo UK for taking longer than usual in notifying people of a data breach is bonkers.
Thankfully, it seems that the ICO took more than the so-called delay into account:
- Yahoo! UK Services Ltd failed to take appropriate technical and organisational (sic) measures to protect the data of 515,121 customers against exfiltration by unauthorized persons;
- Yahoo! UK Services Ltd failed to take appropriate measures to ensure that its data processor – Yahoo! Inc – complied with the appropriate data protection standards;
- Yahoo! UK Services Ltd failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data;
- The inadequacies found had been in place for a long period of time without being discovered or addressed.
Still, the explanation doesn’t quite make sense. In the past, the ICO has issued penalties as high as £400,000 for data breaches, as well as other violations of the Data Protection Act. Considering only instances involving data breaches, aside from Yahoo, none of the companies have swept incidences under the rug. They were accused of being technically negligent (same as Yahoo); of having financial, technical, and other means to ensure better data security (same as Yahoo); of not being aware that they were hacked, when they could easily have figured that out (same as Yahoo); etc. In most cases, if not all, less people were affected than in the Yahoo breach.
So why is Yahoo UK’s penalty so much lower? Especially considering that the other companies do not have the dubious reputation of actively hiding the fact that they were hacked? If anything, you would think Yahoo UK’s penalty would have hit a new high in the history of ICO monetary penalties to date.
Related Articles and Sites: