Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

If you’re handling customer data, there’s a lot to learn from the Yahoo breach

If you’re handling customer data, there’s a lot to learn from the Yahoo breach 

“I can’t believe it took them (Yahoo) this long to inform their customers about the breach,” said Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario and now executive director of the Privacy and Big Data Institute at the Ryerson University. “Yahoo has now become the poster child of ‘what not to do’ in the case of a data breach.”

Apart from being a PR and financial fiasco for Yahoo, she said, the leak or theft of security information related to some 500 million Yahoo users means a serious security threat to individuals and companies whose accounts were compromised.


Breach of 500 million Yahoo accounts drives home importance of data security strategy

Protecting your business against email attacks

Lessons from Silk Road

Cavoukian also said the situation provides a number of due diligence, privacy and security lessons for any organization that happens to handle customer information.

“Businesses are going to take note because for certain there’s a huge financial cost to this for Yahoo,” she said. “The company will soon be facing numerous lawsuits, and this could mean trouble for the impending purchase of Yahoo by Verizon.”

Just days after Yahoo admitted the breach a resident from New York had filed a lawsuit against Yahoo and has sought class-action status on behalf of other Yahoo users a report from business and technology news outlet said.

“Why is this being known only now?” was certainly one of the questions being asked at Verizon when the new broke out. The telecom giant is on the verge of closing a $4.8 billion deal to snap up Yahoo. It’s a negotiation that would transform Verizon, which also bought former Internet stalwart AOL, into a digital powerhouse.

By Yahoo’s own account, the data was stolen back in 2014.

While some observers are saying it’s possible Verizon might not drop Yahoo, Cavoukian said the telecommunications company will now have to figure into its purchase, the potential fallout of future legal actions against the company it is buying. It’s possible this could mean a drop in the purchase price.

Already, Verizon has announced that it is sending its online security experts to Yahoo to determine the cause of the hack and to assess its damage, according to the New York Times.

So what can businesses learn from this snafu?

Inform your customers ASAP – Businesses handling customer information have a responsibility to protect that data and immediately inform their customers if they believe the data has been compromised, according to Cavoukian. Companies such use multiple forms of informing customers such as by phone, email, letters and media broadcast. “It’s important that customers are aware of the risks they face.”

Provide accurate, truthful, relevant, timely, useful information – The company’s communication to its customers should contain truthful information about what happened. Customers should have adequate information about what elements of their data were affected and how this could impact them and their other accounts. The communication should also provide some guide to the customers regarding what they should do to protect their accounts and information and to limit the damage. Firms should provide customers regular updates on what is being done about the situation.

Notify the privacy commissioner – Upon learning of a breach, the affected company must notify the relevant authorities such as the privacy commissioner.

Coordinate with partners and providers – Alert partners and service providers whose network may be connected to the affected systems. If appropriate, coordinate efforts to contain the damage.

Have a privacy breach protocol – Even before a breach occurs, a company needs to have in place a security protocol which outlines what are the responsibilities and steps that personnel and management ought to do. The protocol should include a chain of command and communication to deal with the transmission of information (inside and outside the organization) and delineation of responsibilities and tasks related to the breach. The protocol should detail who is in charge of assessing and confirming the breach, containment and remediation actions and the timelines by which such task need to be accomplished.

After the situation has been contained, companies also need to conduct a thorough assessment and investigation to determine what went wrong and how future disruptions and breaches can be avoided, said Cavoukian.

Related posts