In the latest damaging data breach to afflict Yahoo, the company has admitted that personal data belonging to an estimated 1 billion users was stolen in a 2013 cyber-attack, following an earlier admission that 500m accounts had been targeted in 2014.
The new hack, labelled by some analysts as “the biggest in history”, brings further reputational damage to Yahoo and has led to speculation that the forthcoming $4.8bn takeover of Yahoo by US corporation Verizon could be at risk.
Yahoo’s EMEA headquarters is based in Ireland, and the Irish Data Protection Commissioner immediately released a statement (15.12.16) on the ODPC website expressing its concerns, and its intention to investigate Yahoo further.
Noting that they would be taking steps to conclude whether European Data Protection laws had been breached, the Irish DPC highlighted Yahoo’s “obligations … to ensure any processor to which it transfers personal data (in this case to Yahoo Inc) provides sufficient guarantees in respect of the technical security measures governing the processing”.
Previously in November 2016, and responding to an earlier data breach affecting Yahoo, the Irish Data Commissioner Helen Dixon told a Dublin audience of data protection professionals that her office was already investigating whether Yahoo’s Irish operation “was complicit” regarding its role in transferring data to the US.
Furthermore Commissioner Dixon stressed that “Irish entities of US operations must understand there will be consequences” in case of breaches involving cross-border data transfers.