500 million Yahoo user accounts hacked – $16million lost….What can we learn?
Lesson 1 – Failure to understand a problem and react will cost you –
The accounts of 500 million Yahoo users were hacked in 2014. A subsequent board investigation by Yahoo discovered that senior executives, in house lawyers and IT security personnel were aware of the hack in 2014, and subsequent unauthorised access attempts in 2015 and 2016. The individuals with knowledge of the attacks did not adequately understand or investigate the position, and this has led to lawsuits against Yahoo.
Lesson 2 – Learn from experience –
Yahoo has a history of similar attacks. In 2013 information was stolen from 1 billion users. The hack was only discovered when an external expert became aware that information stolen in the 2013 attack was being offered for sale. Yahoo thinks the individuals behind the more recent hack used the information gathered to create a cookie which would enable access to 32 million Yahoo accounts. Yahoo has offered no explanation for why this attack was not spotted internally, and what changes were being made between hacks, therefore failing to demonstrate that they learn from experience and adapt to reduce future risk. Yahoo now reports that it has revised its processes in response to attacks, including ensuring incidents are brought to the attention of senior executives and the board.
Lesson 3 – Risks have consequences –
The consequences of these breaches have been far reaching. Yahoo’s chief in-house lawyer has taken the blame for Yahoo’s security failures and resigned. This follows the resignation of the company’s senior information security officer in 2015, who left, allegedly after disagreements over the company’s security policies. Yahoo’s CEO, Marisa Meyer, is also giving up her 2016 bonus and 2017 equity compensation in light of the breaches.
Revelations concerning the cyber-hacks came at a particularly inopportune time for Yahoo as it is in the process of selling its internet operations to Verizon and hoping to close the deal by end of June. As a result of the breaches, Yahoo reduced the sale price by $350 million.
Lesson 4 – You need adequate policy & procedure or risk being sued –
There are now 43 consumer-class actions against Yahoo relating to the attacks, globally. There is also a shareholder class action en foot. Yahoo is further co-operating with various public bodies in relation to the breaches, including Securities and Exchange Commission, the Federal Trade Commission, the US Attorney’s office for the Southern District of New York and two state attorneys general.
Highlighting the impact of its security failures, Yahoo reported that its costs directly relating to the incident total $16 million.
The answer, it appears, is that you can’t. A company found by the Information Commissioner to have left a huge number of automated messages relating to Payment Protection Insurance, debt management and personal injury claims was held to have obtained its contact information in a manner which breached the principles of the rules governing privacy and electronic communications. Specifically that whilst the company received assurances from those from whom it purchased call data it became apparent that their acquisition, being via the recording of user data when entering various sorts of website, was far from perfect.
The question was whether it was permissible for the company to rely upon warranties which it had received from its data brokers concerning consent when the websites had privacy statements of a wide, non-specific and general nature. Specifically the commissioner stated:-
“… Organisations buying marketing lists from … [others] must make rigorous checks to satisfy themselves that the … [other] has obtained the … necessary consent. Organisations should take extra care to ensure that the consent is sufficiently clear and specific if using a bought-in list to make automated marketing calls.”
The information commissioner fined the company £270k for various related infractions. In stating what the true test was when buying brokered data the commissioner said:-
“It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:
- How and when was consent obtained?
- Who obtained it and in what context?
- What method was used – e.g. was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g. behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
- Did it specifically mention texts, emails or automated calls?
- Did it list organisations by name, by description, or was the consent for disclosure to any third party?
- Is the seller a member of a professional body or accredited in some way?
“A reputable list broker should be able to demonstrate that the marketing list for sale is reliable by explaining how it was compiled and providing full details of what individuals consented to, when and how. If the seller cannot provide this information, a buyer should not use the list.
“In this case the Company relied upon contractual assurances from its third party data providers that the necessary consent had been obtained for making automated direct marketing calls. However, it was unable to provide copies of some of those contracts. Those it could provide did not demonstrate that adequate consent had been obtained for the making of automated direct marketing calls by the Company. Further, the Commissioner considers that the Company failed to undertake adequate due diligence on its data providers.”
This decision sets a high water mark – that you must be sure that when purchasing data that it comes with the necessary consent and, it seems, you are under an obligation to check.
First EU-US Privacy Shield review to take place in September 2017 –
The annual review into the operation of the EU-US Privacy Shield will take place in September, we will report back later in the year on it.
UK regulator discusses PECR –
The UK ICO is engaged on the upcoming changes to the law on privacy of electronic communications. The ICO said it has provided its views to those in the EU drafting the proposal and is currently working via the Article 29 Working Party of EU Information Commissioners to influence opinion on how it could be improved. It said: “Because there is currently no agreed timetable for finalising the new ePrivacy law within Europe, we can’t yet make fixed plans for guidance. An initial guidance document from the ICO, highlighting the likely key issues, is planned for later in the year.” – We will report back on any changes of note and time table updates.