Costly breaches for global giants.
The financial cost of data breaches was laid bare this past week as both Yahoo and Facebook were hit with fines for failing to keep user data secure.
Yahoo was the first to feel the financial fallout over data breaches that the company first admitted to back in 2016, although the large-scale breach actually occurred during 2013. The extent of the breach was massive, affecting three billion accounts, but Yahoo didn’t actually say anything at the time. The detail surrounding the breaches actually only came about when the company disclosed the information following its agreement to be purchased by Verizon some three years later.
If you think this isn’t good business practice from the company, the US Securities and Exchange Commission would appear to agree with you. Earlier this year, it issued a $35m fine over charges that it misled investors by withholding such information relating to a further data breach in 2014. Now, Yahoo has had its wrists slapped again, this time agreeing a $50m settlement figure to compensate over 200 million victims of the breach in response to a class action lawsuit that was brought against it.
Small business and individuals can claim back any costs that they feel were as a result of the breach and those with documented losses will be able to claim for more than undocumented cases - a maximum of $375 or $175 in either case. Premium Yahoo email users will also receive a 25% refund and users can take advantage of a two-year credit monitoring scheme.
Before anyone rubs their hands with glee at the thought of a payout, the 200m accounts affected under this compensation scheme are located in the US and Israel. There is no mistaking, however, that Yahoo’s data breach has cost it dearly. The company’s mistake impacted on consumers, investors and, ultimately, the firm is still paying now for what remains the largest data breach in history.
Closer to home, Facebook has also fallen foul of regulators as the Information Commissioner’s Office has fined the company the maximum possible sum (£500,000) for failing to protect users’ personal information. This particular fine relates to Facebook’s behaviour in the Cambridge Analytica Scandal, with the ICO’s investigation finding that between 2007 and 2014, Facebook “processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had”.
As well as giving app developers access to users’ data without informed consent, Facebook was also found to have failed to make suitable checks on apps and developers using its platform, meaning it failed to keep users’ information secure.
As the breach occurred before GDPR regulations came into being, Facebook has dodged a far more costly fine here - it could, in theory, have been fined over £1bn under GDPR rules - but the ICO has done all it can to get the message across that the firm’s practices were not up to scratch. While Facebook might have gotten away with a financial penalty that will, in truth, have little impact, the forceful rhetoric behind the ICO’s action will leave executives in little doubt as to the scrutiny it is now facing, from regulators and consumers.
Within the ICO’s statement on the fine, information commissioner Elizabeth Denham sums up many people’s views perfectly: “A company of its size and expertise should have known better and it should have done better.”