show image

The Yahoo! story isn’t about hacking, it’s about reacting

Yahoo! is in the headlines again for all the wrong reasons. This time the 10.00 News on the BBC was interrupted last night by a note sent to Huw Edwards who had to announce that the company had suffered the biggest data breach in corporate history, with a billion users’ data compromised.

Some of the coverage will be about the sheer scale of the breach, inevitably, and some – let’s be honest – because “billion” looks brilliant in headlines. It’s a dramatic number, whether you’re using the American (a thousand million) or the little-used English (a million million) version. This is the American version but that’s a lot of people’s data. Last time “billion” was in a headline about a technology story was when the Independent marked Apple reaching a billion music downloads, a front page story based on a corporate announcement.

This time the devil truly is in the detail. You have to ask yourself how long ago this all happened. The answer is that the breach was in 2013.

Yahoo! has form

The largest breach before this was a few months ago when a company revealed that 500 million of its clients had seen their data compromised. The company in this case was none other than Yahoo! (here’s the story we wrote at the time) and our concern remains the same.

We should clarify that there is no suggestion that Yahoo! has deliberately concealed anything. The fresh information on the new data breach has come to light, the company says, precisely because of the investigation into the other one. There is no reason to doubt this.

Our concern is that these are just the breaches that have been uncovered and which have been made public. There is no obligation on companies to declare when such a thing has happened in law, partly because the laws have yet to catch up with the technology. New Statesman Tech is calling for laws on disclosure to be introduced internationally as soon as possible. This is a big ask, we realise, particularly as America and Europe are entering what might be described as “interesting times” and data protection might not seem like a priority.

Nonetheless, it was only in September that 500 million was the biggest amount of users to have their data compromised. We said at the time that there could be more under the surface and it’s transpired that a further billion were victims with accounts at the same company.

There could be more, although we don’t claim to know. What we’d like to see is a standardised reaction so that users know exactly where they stand when something like this takes place.