A recent decision by a Californian court has ruled that Yahoo, now known as ‘Oath’, must face litigation as a result of failing to report the largest-ever cyber-attacks to date.
Yahoo, having been acquired by US multinational telecommunications company Verizon, will face litigation from over a billion users whose personal data was retrieved as a result of the attacks. Despite Yahoo asserting that the users did not have the requisite legal standing to commence proceedings, the court declared that the plaintiffs had an “alleged risk of future identity theft” and therefore had a valid interest in pursuing the company. It was also argued had disclosure been made by Yahoo at an earlier stage, steps could have been taken by the users to mitigate the losses suffered.
The first major cyber-attack to hit Yahoo in 2014 was first disclosed in September of 2016 when email addresses, names and security information of over 500 million Yahoo accounts were stolen. This was the largest-ever cyber-attack recorded at the time. Despite the gravity of it, the hack only came to light two years later whilst claims that 200 million of Yahoo user records had been for sale on the dark web was under investigation.
This attack was largely blamed on the poor password protection method, known as ‘MD5 hash’, used by Yahoo. Dave Palmer, director of technology at cyber security company Darktrace, described the methodology as “extremely dated” and unsuitable for a company such as Yahoo to be using. 
The September 2016 disclosure came two weeks after Yahoo released a statement that the company had no knowledge of any incidents of security breaches, unauthorised access or unauthorised use of its IT systems.  Fortunately for Yahoo and its victims, this attack did not unearth payment card data or bank account information of its users, as this was stored on a different network.
The second attack which resulted in hackers stealing personal data from more than a billion Yahoo accounts in August 2013 was disclosed in December 2016. The information accessed contained unencrypted security questions and answers. Yahoo then further confirmed that the data may have in fact included names, email addresses, telephone numbers and dates of birth. This subsequent failure to disclosure another significant breach lead to the beginning of investigations by the US Securities Exchange Commission and lead to the arrest of two officers of the Russian Federal Security Service.
The gravity of both attacks has had substantial consequences for Yahoo. A price cut of $350m was forgone on its sale to Verizon, representing one of the first occasions in which a cyber-attack has resulted in a revised acquisition price. As a result of senior executives’ knowledge and non-disclosure of the hack, Yahoo’s general counsel and secretary, Ronald S. Bell, resigned with no severance pay, and chief executive Marissa Mayer was dismissed when the acquisition by Verizon completed.
Victims of the hack included California resident, Kimberley Heines, whose email contained information relating to her social security benefits which were subsequently stolen, and Paul Dugas, who claimed people had fraudulently filed tax returns under his social security number.
This decision by the SEC follows a recent decision by the US Federal Trade Commission which will see ride-hailing group Uber face 20 years of audit submissions as a result of failing to adequately protect both customers’ and drivers’ personal data.  Both decisions represent the requirement for tight, high-quality data protection policies, and the necessity for prompt disclosure of breaches. While there is no formal disclosure timeframe requirement under the current Data Protection Acts, the General Data Protection Regulation will introduce a window of 72 hours to notify the Data Protection Commission of any breach.
Given the importance of disclosure, the Data Protection Commission has provided thorough guidance on breach notifications which may be found at - https://www.dataprotection.ie/docs/Data-Breach-Handling/901.htm.