Last week news broke that one billion Yahoo accounts had been affected by a cyber attack in 2013 which saw the personal data of users – including their names, phone numbers and email addresses – accessed without authorisation. It represents the largest data breach ever reported and bookends a year which has not been kind to the internet giant, who only in September announced that it had been subject to a separate attack in 2014 which saw another 500 million of its user accounts hacked.
While there will be long running investigation and analysis into the causes – Yahoo has alleged that the attack was state-sponsored – there are likely to be significant immediate consequences. As well as the obvious reputational damage (#yahoobreach has been trending on Twitter), announcement of this attack raises questions over the proposed acquisition of Yahoo by US mobile carrier, Verizon. Already it has been reported that Verizon reduced its valuation of Yahoo by $1billion after details of the 2014 breach emerged. As more information comes to light of yet another attack, the company’s valuation is likely to be impacted even more – both due to scale involved and the fact it demonstrates a pattern of security failures.
This is the latest in a series of high profile “mega breaches” which have been reported this year and serves as a timely reminder that for all the benefits which the internet and technology affords to businesses today, cyber attacks remain an inherent risk to firms of all sizes. Even the biggest of names are not immune. In the face of such a technological landscape, it is vital that organisations remain diligent and vigilant to the threat of an attack in order to meet their duty to keep their customers’ data secure.
Cyber security has also been a key area of focus in the legal community in recent months following the passing of the new EU General Data Protection Regulation. While it is not due to come into force until 25 May 2018, your organisation should begin to take steps to prepare for the Regulation’s heightened data security requirements now. The Information Commissioner’s Office – the UK’s regulator for data protection matters – has already announced that the Regulation is due to be adopted into UK law despite Brexit and that UK companies will be obliged to comply with the Regulation if they wish to continue to do business and share information with their European customers and partners through 2018 and beyond.