Altaba, the company formerly known as Yahoo Inc., has been ordered to pay a $35 million penalty to the Securities and Exchanges Commission (SEC) after the online services provider failed to disclose one of the biggest data breaches in history, in an attempt to deceive investors and the market.
In December 2014, Yahoo suffered a data breach which effected roughly 500 million users whose personal data was stolen as a result of alleged Russian state hackers. Usernames, email addresses, encrypted passwords, dates of birth, phone numbers were all illegally accessed in the hack that was only made public two years later. It is understood that senior officials within Yahoo were informed but the company failed to investigate the matter further.
The realization of the breach only came to light when Verizon attempted to buy the company in 2016, leading to Yahoo discounting approximately $350 million off the original deal due to the reputational damages caused by the announcement.
The bad news kept piling up for Yahoo, which back in 2017, released a statement declaring that the organization had been hit by a separate breach incident in 2013, which had affected all three billion accounts and resulted in the firing of its senior lawyer, Ron Bell with Yahoo’s CEO at the time Marissa Mayer stepping down from her position.
Undoubtedly, this case will go down as an historic example for years to come and one can only hope that other major companies take note. Though Yahoo had to learn the hard way, the impending European General Data Protection Regulation (GDPR) gives some structure to what is now expected of companies who store customers' and employees' personal data. And with terabytes upon terabytes of data piling up in organizations, it's time now for companies to stop, take a breath and take note of all their sensitive data. Hire or appoint a Data Protection Officer (DPO), create a data audit and have a plan in place for if the worst should happen. If companies can prove that they took reasonable actions to satisfy the new regulations, than the impact is likely to be far less than failing to do so.
At eperi, we know one of the best data protection actions any company can take is to encrypt, tokenize or anonymize sensitive data. That way, even if hackers were to successfully access the corporate network in the cloud or on premise, they can do very little with encrypted meaningless data.
Read more about the various methods of data protection here.