DPC statement on Yahoo data breach
15 December 2016.
The Data Protection Commissioner was updated yesterday evening by Yahoo EMEA on the latest Yahoo Inc data breach developments.
We are urgently examining the facts that have been made available to us in order to ascertain the further investigative questions we need to pose and steps to be taken in order to ultimately conclude if European data protection laws have been breached.
Yahoo EMEA is the Irish-based data controller for all European based users of the Yahoo services and has obligations under Irish data protection laws to ensure any processor to which it transfers personal data (in this case to Yahoo Inc) provides sufficient guarantees in respect of the technical security measures governing the processing.
The DPC is continuing its investigation into Yahoo EMEA in relation to the data breach notified in September, including an examination of the latest information provided on that incident.
We understand that Yahoo is issuing guidance to affected users. Users should take the actions outlined in that guidance.