Data at Risk: Did Yahoo Just Prove How Unsecure Our Sensitive Data Is?

Employee round-table discussion
Reading Time: 2 minutes

The largest publicly disclosed cyber-attack in history was announced in September, and it’s causing serious waves across the data security industry.

Internet giant Yahoo was responsible for leaking the personal details of up to 500 million users. It’s believed that the data breach occurred 2 years ago and has only just been disclosed.

With thousands of Yahoo users expressing their anger on social media and industry leaders questioning why the company took so long to disclose the breach, Yahoo’s CEO Marissa Mayer has a lot to answer for.

Yahoo, which has only recently reached an agreement with U.S. telco Verizon Communications to sell the business for £4.84bn, announced that the leaked data of 500 million of its users included names, emails and unencrypted security questions, as well as other sensitive data.

The story breaks exactly 11 months on from the famous TalkTalk data breach in which 157,000 of its customers had their person information and bank account details stolen by hackers.  TalkTalk, who lost 101,000 customers as a result of a cyber-attack which took place in October 2015, was fined a record £400,000 this month.

The severity of both attacks highlights the need for better data security and governance. David Langton from data classification specialist Boldon James comments: “It’s extremely concerning that some of the world’s largest organisations are still failing at protecting our data. Even with new EU General Data Protection Regulation coming into force in 2018, companies still appear to be vastly underprepared”.

A recent survey conducted by Boldon James of public and private sector organisations reveals that many companies have a worryingly indifferent attitude to data security.

Only 12% of the companies in the survey said they considered data security as a Board issue, and only 19% of respondents said they had started data security training and awareness programmes in their organisation.

So what can we expect with new EU GDPR regulation just around the corner?

David Langton explains: “Companies clearly aren’t ready to tackle what lies ahead and require a better understanding of the impending regulation. EU GDPR will ensure that any business handling sensitive data on EU citizens adheres to strict rules, or face fines of up to EUR20 million. But it doesn’t change the fact that many companies are unprepared or simply have a poor attitude to the security of personal data.”

Leading technology research firms Forrester and Gartner report that data classification is the basis for a data-centric approach to security. By classifying and labelling data according to its sensitivity, organisations can reduce the risk of breaches by focusing protection on the most sensitive business critical data.

Using a data classification solution to classify data as a first step ensures a data-centric approach to protecting personal information. It embeds a culture of compliance by involving users in identifying, managing and controlling regulated data, while automating parts of the protection process to enforce rules and policies consistently.

EU GDPR legislation and standards come in to force from 25 May 2018. For further information, visit the Information Commissioner’s Office website or download the EU GDPR Fact Sheet from Boldon James.