European authorities fine Yahoo! and Optical Center £250,000

News by Robert Abel

European authorities have been cracking down on firms improperly securing customer data long before GRPR went into effect with two separate companies being fined £250,000 respectively in the past week.

European authorities have been cracking down on firms improperly securing customer data long before GRPR went into effect with two separate companies each being fined £250,000 respectively in the past week.

The French Data Protection Authority (the CNIL) imposed a £250,000 fine on Optical Center for insufficiently securing personal data of its customers and the Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach.

The CNIL was notified about the incident in July 2017 and when it learned that the firm's customers could access the more than 300,000 documents, mainly invoices, belonging to other customers simply by entering URLs in the browser address bar, according to a 7 June statement from the agency.

An investigation was conducted into the incident and found the site didn't have the functionality to verify that a customer is only connected to their personal account before displaying the invoices of others.

The European Union's General Data Protection Regulation was not in effect at the time of the incident that the data breach did violate applicable French law.

Ilia Kolochenko CEO of the web security company High-Tech Bridge said he thinks GDPR would likely impose a less severe punishment for a first incident, but for repetitive ignorance and ensured data breaches, GDPR has much more freedom to impose harsh financial penalties.

"Despite the sad context, it is rather good news and a strong signal to other companies that cyber-security is not something they can continuously disregard,” Kolochenko “Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”

He went on to say one should keep in mind that victims can make civil claims for damages suffered as a result of the breach which could lead to breach costs skyrocketing.

Optical Center isn't the only firm penalised for its lack of securing the data of its European customers. Yahoo was also handed a fine.

It was found that Yahoo's UK Services had failed to secure the data of 515,121 customers against exfiltration by unauthorised persons, as well as failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data, according to Tech Crunch.

BioCatch's VP Frances Zelazny said the announcement highlights the growing call for transparency and accountability from companies.

“Governments are more likely to step in and regulate the use of personal data to protect their citizens, as we see with the newly implemented data protection law in Europe,” Zelazny said. “Companies will be held to a higher standard moving forward, and be forced to recognise the enormous responsibility that they have in ensuring proper data/digital identity management.”

He added we can't escape the reality that the notion of convenience, social media and transacting online may clash with the need for security and that data breaches have become so frequent that consumers have lost sight of the impact that having all their personal information can have.

Tony Pepper, CEO and Co-Founder, Egress Software Technologies commented: “The Yahoo data breach is likely to go down in history as one of the most notorious – not just because of the scale of data subjects involved but because the company didn't report the breach for two years. Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR as that legislation has much tougher consequences for a breach.

“As the ICO acknowledged in its findings, people expect organisations to keep their personal data safe. That means implementing technical and organisational measures to protect data against different types of breaches, including malicious and accidental. What's more, should a breach occur, organisations need to take responsibility so that they can mitigate and report clearly on the impacts this will have on data subjects. The GDPR has forced most organisations to up their game in these respects, but any organisations that are still holding out will need to step up to avoid an ICO investigation themselves.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews