The Irish Data Protection Commission (DPC) has slammed Yahoo for a 2014 data breach exposing data on 39 million European users, saying in a report released this week that Yahoo’s data
processing did “not meet the standard required by EU data protection law.”
In concluding its multi-year investigation, the DPC requires that Yahoo take several remedial actions on
deadline. For example, it must:
- Update its data processing contracts and procedures related to those contracts
- Monitor any data processors it uses to ensure that they are in
compliance
- Ensure that all its data protection policies are in compliance with the law.
The DPC adds that it will closely monitor these actions.
The breach, which
affected 500 million users worldwide, occurred before Yahoo was acquired by Verizon and integrated into the Oath brand. The DPC calls it “the largest breach which has ever been notified to
and investigated by the DPC.”
The DPC report criticized Yahoo, charging that its dat-processing operations performed by its data processor did not meet European or Irish
standards.
In addition, it states that the firm did “not adequately take into account Yahoo’s obligations under data protection law.”
The DPC report adds
that Yahoo "did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data
protection law."
The DPC statement did not mention any penalties, but noted that the General Data Protection Regulation (GDPR) imposes stiff fines for non-compliance. And the DPC noted
that the GDPR gives it the power to levy fines.
According to the DPC, “Yahoo! EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with
Yahoo! Inc acting as its data processor.”