In terms of raw numbers, it is considered the biggest data breach ever. Now, Yahoo! is going to pay $50 million.
While it is debatable what is the worst data breach in history, in terms of total number of records, Yahoo! suffered the biggest known breach ever at 3 billion accounts back in 2013. The size of the breach dwarfs even the stunningly huge Adhaar data breach which saw the biometric data of 1 billion people exposed to anyone who wanted had 500 rupees on hand.
In addition to paying $50 million in damages, Yahoo! will also offer free credit monitoring to people affected by the breach. More information from The Hill:
The breach, which occurred in 2013 and 2014 but was not disclosed until December 2016, involved the names, emails, addresses, dates of birth and phone numbers of affected customers.
Yahoo, which is now overseen by Verizon subsidiary Oath, has maintained that passwords, credit card numbers and bank account information was not among the stolen information.
In April, the Securities and Exchange Commission (SEC) fined the company $35 million for failing to properly notify customers and investors in a timely fashion about the data breach.
“Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors,” the SEC said at the time.
For years, many companies who suffered from data breaches often felt it was worth the risk to simply keep quiet about any security breaches. That is certainly something that happened throughout the 2000’s and early 2010’s. The thinking behind that is that data breaches not only cost the company money in the long run (this includes stock prices), but companies will take damage from their reputation on top of it all. So, some companies did feel that keeping quiet and hope the whole thing goes away is a worthwhile course of action. Customers having their information stolen is just minor collateral damage as far as some were concerned.
Now, more recently, it seems attitudes are changing. This is largely thanks to laws such as Europe’s GDPR where failing to disclose breaches to authorities means multi-million and maybe even multi-billion dollar fines. In fact, the GDPR laws are already being tested with the recent Facebook breach which saw around 30 million accounts potentially compromised.
While it is certainly more than possible to see companies try and cover up such breaches, it is increasingly looking like more and more companies are simply willing ti disclose what happened up front – especially when they are an international company operating in Europe.
What’s more is that it raises questions on how companies handle personal information in the first place. As long as there are huge concentrations of personal information out there, those concentrations become extremely attractive targets to criminals. Some are saying that we should re-think how this information is stored and used in the first place. After all, no one wants to see multi-million record breaches – especially when it involves all the pieces of information identity thieves need to ruin someone’s life.
Still, if there is a silver lining in all of this, it’s that these fines are at least giving some incentives to better protect the information in the first place. Whether or not this is going to be sufficient remains to be seen, though.