Yahoo did not meet EU standards during data breach, Data Protection Commission finds

The major breach affected some 500 million user accounts

Yahoo did not meet EU standards during data breach, Data Protection Commission finds

File photo shows Yahoo offices in the Point Village in Dublin | Image: Sam Boal/

The Data Protection Commission (DPC) has found web and e-mail provider Yahoo did not meet the standard required by European Union data protection law during a breach in 2014.

It said the company relied on global policies, which defined its technical security and organisational measures.

"Those policies did not adequately take into account Yahoo’s obligations under data protection law", the comission said.

And it found Yahoo "did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law."

The investigation relates to a data breach concerning Yahoo! EMEA Limited, since renamed Oath (EMEA) Limited, that affected approximately 500 million user accounts.

At the time, Yahoo! EMEA was the data controller for the subset of the affected user accounts associated with EU citizens.

A screen on the Yahoo web page informs users of a data breach and the need to change their passwords in September 2016 | Image: Richard B Levine/SIPA USA/PA Images

The data breach ranks as one of the largest breaches to impact EU citizens - affecting approximately 39 million European users.

It is also the largest breach which has ever been notified to and investigated by Ireland's Data Protection Commission.

Oath (EMEA) Limited is based at North Wall Quay in Dublin.

The data breach was initially notified to the DPC on September 22nd 2016.

In the course of its investigation, the DPC established the breach dated back to 2014.

In a statement, the commission said: "The investigation of this breach was afforded the highest priority by the DPC with significant resources committed to the investigation over an extended period of time.

"On foot of this investigation, the DPC has notified Yahoo that it requires it to take specified and mandatory actions within defined time periods.

"The DPC will be closely supervising Yahoo’s timely compliance with these required actions." 

File photo

These actions include that Yahoo should ensure that all data protection policies which it uses and implements take account of the applicable data protection law - and that such policies are reviewed and updated at "defined regular intervals".

The DPC has also directed Yahoo to update its data processing contracts and procedures, associated with such contracts, to comply with data protection law.

And the comission has directed the firm to monitor any data processors which it engages for compliance with data protection law on an ongoing basis.

The Data Protection Commission's final report was issued to Oath (EMEA) on Thursday.

But it added: "It is not the practise of the DPC to issue investigation reports as such reports include information and analysis which are confidential to the companies concerned."