EU to release findings of investigations into Yahoo security breaches 'soon'

Findings of investigation by data protection authorities due imminently

Data protection authorities in the European Union will release the findings of their investigations into the security breaches at Yahoo in 2014 and 2015, with the company's EU operations expected to shoulder at least some of the blame.

First up, will be Ireland's data protection authority (DPA). According to the Irish data protection commissioner Helen Dixon, the investigation will show that Yahoo's European unit is at least partly to blame for the 2014 data breach, which spilled around 500 million account details.

"We're of the view that it could have been detected sooner and the risks mitigated sooner," Dixon told Bloomberg. "We intend to make our findings and impose remedial action where the findings need us to do that."

What that remedial action will be is as yet unclear but Yahoo, now owned by Verizon, can anticipate being required to make some substantial changes to its operations and can also expect a fine.

The Irish DPA, which rules on data protection issues over companies based in Ireland had long been thought of as a soft touch, tending to go along with the Irish government and its desire to attract global tech giants with a low tax regime. Many tech companies including Apple, Ebay, Amazon and Facebook have their European headquarters in the country.

However, Dixon rejected this saying her office is expanding to comprise 100 employees by the end of 2017, an increase of 80 people in two years.

This is a result of the greater authority given to DPAs by the incoming EU General Data Protection Regulation (GDPR), which also allows for the imposition of fines of up to €20m or four per cent of global turnover, whichever is the greater.

Dixon said she is prepared to use all the powers at her disposal to bring companies into line.

"The only way to start driving a better compliance culture is to have those types of enforcement tools in our toolkit," she said.

The Irish DPA has also been looking at whether Facebook's transfers of personal data to the US are legal, and also into the social media giants stalled plans to mine the personal data of its acquisition WhatsApp without the consent of its users. A decision on the latter is expected in the summer.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!