The Irish Data Protection Commission (DPC) has slammed Yahoo for a 2014 data breach exposing data on 39 million European users, saying in a report released this week that Yahoo’s data processing did “not meet the standard required by EU data protection law.”
In concluding its multi-year investigation, the DPC requires that Yahoo take several remedial actions on deadline. For example, it must:
- Update its data processing contracts and procedures related to those contracts
- Monitor any data processors it uses to ensure that they are in compliance
- Ensure that all its data protection policies are in compliance with the law.
The DPC adds that it will closely monitor these actions.
The breach, which affected 500 million users worldwide, occurred before Yahoo was acquired by Verizon and integrated into the Oath brand. The DPC calls it “the largest breach which has ever been notified to and investigated by the DPC.”
The DPC report criticized Yahoo, charging that its dat-processing operations performed by its data processor did not meet European or Irish standards.
In addition, it states that the firm did “not adequately take into account Yahoo’s obligations under data protection law.”
The DPC report adds that Yahoo "did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law."
The DPC statement did not mention any penalties, but noted that the General Data Protection Regulation (GDPR) imposes stiff fines for non-compliance. And the DPC noted that the GDPR gives it the power to levy fines.
According to the DPC, “Yahoo! EMEA was the data controller for the subset of the affected user accounts associated with EU citizens, with Yahoo! Inc acting as its data processor.”