Data Protection Commission concludes investigation into Yahoo Data Breach

07th June 2018

The Data Protection Commission (“DPC”) has today issued its final report in respect of its investigation of a data breach concerning Yahoo! EMEA Limited (“Yahoo”) (since renamed Oath (EMEA) Limited).

The breach which was reported to the DPC in September 2016 involved the unauthorised copying and taking, by one or more third parties, of material contained in approximately 500 million user accounts from Yahoo! Inc infrastructure in 2014. At the relevant time, Yahoo! EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with Yahoo! Inc acting as its data processor.

 

The data breach ranks as one of the largest breaches to impact EU citizens, affecting approximately 39 million European users. It is the largest breach which has ever been notified to and investigated by the DPC. 

 

The investigation of this breach was afforded the highest priority by the DPC with significant resources committed to the investigation over an extended period of time.

 

On foot of this investigation, the DPC has notified Yahoo that it requires it to take specified and mandatory actions within defined time periods. The DPC will be closely supervising Yahoo’s timely compliance with these required actions.

 

The findings made by the DPC include the following:

  • Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law and as given effect or further effect in Irish law;
  • Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by Yahoo. Those policies did not adequately take into account Yahoo’s obligations under data protection law; and
  • Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law. 

 

Based on its findings, the DPC has notified Yahoo that it requires it to take specified and mandatory actions to bring its data processing into compliance with EU data protection law and as given effect or further effect in Irish law. These actions include that Yahoo should ensure that all data protection policies which it uses and implements take account of the applicable data protection law and that such policies are reviewed and updated at defined regular intervals. The DPC has directed Yahoo to update its data processing contracts and procedures associated with such contracts to comply with data protection law. The DPC has also directed Yahoo to monitor any data processors which it engages for compliance with data protection law on an ongoing basis in accordance its obligations under EU data protection law and as given effect or further effect in Irish law.

 

The DPC will be engaging closely with Yahoo (now Oath EMEA) to monitor the quick and comprehensive implementation of these actions and if necessary will issue enforcement notices to secure compliance. In addition, the DPC will continue to actively monitor Oath EMEA’s  ongoing data processing operations to ensure those operations comply with the new legal framework of the General Data Protection Regulation.

 

 

Note to editors: 

 

The final report of the Data Protection Commission’s investigation into the data breach concerning Yahoo! EMEA Limited (“Yahoo”) (since renamed Oath (EMEA) Limited) was issued today to Oath (EMEA). It is not the practise of the DPC to issue investigation reports as such reports include information and analysis which are confidential to the companies concerned.

 

The data breach was initially notified to the DPC on 22 September 2016 and the DPC commenced an investigation into how Yahoo discharged its obligations as a data controller under EU data protection law and as given effect or further effect in Irish law in the context of the breach. In the course of its investigation, the DPC established that the breach dated back to 2014. 

 

A separate breach dating back to 2013 was not investigated by the DPC because, at the time the breach occurred, Yahoo! EMEA Limited was not a data controller within the meaning of the Data Protection Acts 1988 and 2003 (“Acts”) and therefore Yahoo! EMEA Limited was not subject to the jurisdiction of the DPC.  

 

The DPC’s investigation focussed primarily on assessing the technical security and organisational measures Yahoo had in place at the time of the data breach as well as analysing Yahoo’s response to the data breach. The investigation also assessed whether there were potential areas in which Yahoo could improve its protection of individuals’ data protection rights in respect of those individuals for whom Yahoo is a data controller. 

 

The investigation into the data breach was conducted under section 10 “Enforcement of Data Protection” of the Data Protection Acts 1988 and 2003 (“Acts”). One of the enforcement tools available to the DPC under the Acts are enforcement notices. The Acts also give the DPC the power to issue an “enforcement notice” if the Commissioner is of the opinion that a data controller has contravened or is contravening the Acts. An enforcement notice may require a controller to take specified action within a specified time limit.

 

The General Data Protection Regulation (“GDPR”) entered into force on the 25 May 2018 and introduced a new data protection regime which will apply on an EU-wide basis. One of the significant changes which the GDPR introduces for the DPC is that the DPC will have the power to apply administrative fines (up to the higher of €20 million or 4% of the total worldwide annual turnover of the preceding financial year). The Irish Data Protection Act 2018 gives further effect to the GDPR. Section 8 of that Act confirms that the 1988 Act applies to a contravention that occurred before May 25th 2018.

 

According to the records of the Irish Companies Registration Office, a change of name from “Yahoo! EMEA Limited” to “Oath (EMEA) Limited" for company number 426324 was registered on 2 October 2017.

 

ENDS

 

For media related queries, please contact

Graham Doyle

Head of Communications 

Irish Data Protection Commission

 

087 9392359