Yahoo – biggest data breach ever

people-padlockIt is widely known that hackers target all companies large or small. In social media and cloud storage terms, we’ve seen breaches from a range of businesses include MySpace, LinkedIn, to DropBox and many more.

And now, as almost everyone must be aware, Yahoo has announced it has suffered the largest cyber breach in history. 500 million accounts have been accessed, of which 8 million relate to UK data.  This is a particularly difficult issue for Yahoo, who, as announced in July, is close to finalising the £3.7bn deal to sell its core business to Verizon. The breach occurred two years ago, and there is significant speculation about why it has taken so long for the organisation to discover the breach (coincidentally also July 2016).

In July a hacker known as Peace was discovered selling the information of 200 million Yahoo accounts on the dark website Real Dark.  It wasn’t until then that Yahoo launched an investigation to see whether – and to what extent – they had been hacked.

It is troublesome, to say the least, that a company of Yahoo’s magnitude can be the victim of the largest cyber attack in the world … and simply not notice for two years. Under the upcoming EU General Data Protection Regulation, notification of such a brief to the Supervisory Authority is mandatory within 72 hours of discovery – which doesn’t really help when a company doesn’t discover the breach for such an extended period of time.

Generally speaking, it takes an average of between 98 and 191 days (over six months) to detect an intrusion, and it does beg the question … why?  Some sources report that there is simply too much data for the analysts to sift through to be able to immediately recognise the threat.  In addition, false alarms are common.

So to an extent it’s understandable that there would have been some delay in identifying the breach.  Almost all of us have had an occasion where the car alarm has gone off because of a gust of wind or a vast lorry getting too close. But you would expect that when someone steals your car’s wheels, its seats and the doors, you just might notice.

So what do we know about this breach?

500 million Yahoo users have had their names, email addresses, dates of birth, hashed passwords, telephone numbers and unencrypted security questions accessed. We also know that Verizon only found out two days before the knowledge of the breach was released to the public.

Now we’re all asking the question “Who’s behind it?” Yahoo believes it was a “state-sponsored actor”. So which state? The suspects so far are Russia (supposedly behind hackers Fancy Bears who hacked WADA and released Olympian’s medical records to show what banned drugs they were taking for medical reasons); North Korea (suspected of being behind the hack on Sony after the film ‘The Interview’ showed its leader in a poor light); China (who, despite denial, allegedly recently stole the finger prints of 4 million Americans from The Office of Personnel Management).  Alternatively, it could have been a lone wolf like the TalkTalk breach – TalkTalk too suspected a large corporation but instead it turned out to be a teenager in his bedroom trying to make a few extra quid.

What we need to understand is that, unless companies invest the appropriate time, resource and money to protect their own and their customers’ data, they will continue to be wide open to breach.  In the UK only 51% of large businesses have followed half or more of the government’s 10 steps to cyber security.

So … if only half of us are consciously going to take action to attempt to prevent these breaches, is it any wonder that the hackers have it so easy?


Written by Charlotte Seymour, October 2016

EU – US Privacy Shield has been adopted

Privacy ShieldAt last agreement has been reached on the EU – US Privacy Shield agreement which now replaces the Safe Harbor agreement.  Safe Harbor was ruled invalid in 2015 by the EU Court of Justice, because they said there were not sufficient safeguards for personal data under the voluntary scheme.

The new agreement is intended to protect the privacy of EU citizens when their personal information is processed in the US.

Companies will be able to sign up to the EU – US Privacy Shield from August 1st once they have implemented any necessary changes to comply with the strict compliance obligations.

The EU – US Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles entitled the EU – US  Privacy Shield Framework Principles.

The new framework was unveiled in February and has been under review since then.  Back in June the European Data Protection Supervisor, Giovanni Buttarelli advised that it ‘needed significant improvements’ because it was not ‘robust enough’ and that the Commission should negotiate improvements to the Privacy Shield in three main areas:

  • limiting exemptions to its provisions;
  • improving its redress and oversight mechanisms,
  • integrating all the main EU data protection principles.

For the Privacy Shield to be an effective improvement on Safe Harbour it must provide adequate protection against indiscriminate surveillance as well as obligations on transparency, and data protection rights for people in the EU.

In Brussels on July 12th Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The EU – US  Privacy Shield is a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses. It brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints”

In summary the EU-US Privacy Shield is based on the following principles:

  • Strong obligations on Companies handling data and robust enforcement
  • Clear safeguards and transparency obligations on US government access
  • Effective protection of individual rights
  • Annual joint review mechanism
  • Easier and cheaper redress possibilities in case of complaints —directly or with the help of the local Data Protection Authority

The Privacy Shield agreement applies to both data controllers and processors (agents), and specifies that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.

Whilst the UK remains a member of the EU (which it will be for least the next 2 years) UK based companies that process data in the US will be able to use the Privacy Shield where appropriate.

Michelle Evans, Data Compliance Director

14th July 2016

What does Brexit Mean for GDPR?

brexit eggBritain has voted to leave the EU, and at this stage it seems that Parliament is going to honour the results and take us out of the EU. So what does this mean for data protection?

I don’t think there has ever been such uncertainty, confusion, difficulty and high risk over data compliance.  So I thought this might help clarify what Brexit is likely to mean in relation to the UK’s data protection legislation.

  1. If Article 50 is invoked in or after October 2016 (as suggested by David Cameron this morning) it will take at least two years and four months for the UK to leave the EU. And, given the complexities of the exit negotiations involved, it may well take longer than that.
  2. EU law will continue to apply until the moment the UK actually leaves the EU, which means that, for a minimum of 5 months, UK organisations – even those which do not process data in Europe – will be required to comply with GDPR. 
  3. If Britain leaves the EU and remains a part of the EEA (like countries such as Switzerland, Norway, Iceland and Lichtenstein), it will be required to comply with GDPR.     
  4. If Britain does not want to be part of the EEA, once it has left the EU it will NOT be required to comply with GDPR.
  5. However, if the UK wants to trade equally with the EU (to quote the Information Commissioner’s Office)UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”  To achieve this end, the ICO has already stated its intention to speak to the UK government to explain that reform of the UK law remains necessary Having clear laws with safeguards in place is more important than ever given the growing digital economy”

Although it’s too early to know exactly what will happen to UK Data Protection law, what is quite clear is that all UK businesses need to continue making preparations for GDPR compliance.  An excellent starting place is to ensure that you understand and comply with current legislation right now.  I’d suggest the following process:

brexit compliance process

If you have any questions about data protection governance, compliance or security and would like a no-strings chat, please don’t hesitate to call on 0203 815 8003 or email

GDPR is here – Data Protection is Changing

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.


It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

GDPR and Data Processors – a New World

data processors

Now that GDPR has been approved, companies need to start work on preparing their governance, employees and technology for the new legislation.

Among those organisations most affected by GDPR are Data Processors.    Data processors process data on behalf of, and under the instruction of their data controller.  Now data processors must comply with the statutory requirements of GDPR and, for the first time, can be held accountable.

Failure to meet the requirements of GDPR carries significant sanctions, up to 4% of global turnover OR 20 million euros – whichever is the greater.   In addition, processors still run the risk that, in the event of non-compliance or breach, their data controller can sue for breach of contract – all eye-wateringly expensive to the point of breaking the business.

So it’s a new world for data processors, who need to take steps immediately to protect themselves against compliance and security risk. For example:

  • They must have appropriate technical and organisational measures to ensure security of the data they are processing.
  • They must maintain written records relating to all personal data processing carried out for each of its data controllers
  • They may no longer appoint new or alternate sub-processors without the authorisation of the data controller
  • They must cooperate with the relevant supervisory authority
  • They must notify the data controller without undue delay in the event of a data breach
  • They must comply with GDPR in relation to cross-border data transfers

So what kind of organisation does this affect? Data processors include a multitude of businesses from call centres, to data providers, to data service providers – cleansing, hygiene, analysis – to cloud providers and technology vendors.

Mandated contract clauses have been specified in detail under GDPR, so all existing and future contracts will need review and are likely to need revision as negotiations between controllers and processors become ever tougher as each party tries to tie down the areas of liability and responsibility.

There is an argument that the costs of processing may increase, which will have a negative impact for data controllers.  But there’s no doubt – data processors are now firmly in a new world of liability and penalty.

Safe Harbour out .. EU-US Privacy Shield in

eu us privacy seal

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

On Tuesday 2nd February an agreement was reached after several months of negotiations between Europe and the USA. This has come about following the Schrems case and the European Court of Justice ruling on 6th of October 2015 which declared the old so called ‘Safe Harbour’ framework invalid.  The Safe Harbour expiry deadline was 31st January.

The EU-US Privacy Shield

Some of the key elements of the new framework are listed below:

  • Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
  • Effective protection of EU individuals’ rights with several redress possibilities: Any individual who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

EU-US Privacy Shield Next Steps

 Vice-President Ansip and Commissioner Jourová   have been mandated to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the EU Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsperson.

Charities and Data Protection Training

DP online trainingCharities are having a tough time with data protection at the moment.  The Daily Mail is pursuing them for their donor practices, and even when their behaviour is compliant, the reputational impact is enormously damaging to all charities, not just the few cited in the press.

Now the Altzheimer’s Society has fallen foul of the ICO because its volunteers were not trained in data protection, and were following inadequate processes, particularly in relation to sensitive personal data – for example using personal email addresses for sharing and receiving data about users of the charity;  storing unencrypted data on their home computers;  and not keeping paper records locked away securely.

This case does illustrate the need for charities to provide data protection training, not only among its own employees, but also to its volunteers.  Volunteers give selflessly of their time and energy, but even with the best intentions in the world, they cannot be expected to know the nuances of what is and is not acceptable in terms of data compliance and security.  Where sensitive personal data is concerned, this becomes a significant failing that will rebound on the charity  and generate a great deal of negative attention.  At the same time, lack of procedure and training creates an enormous risk of potential damage and distress to the very vulnerable individuals the charity is seeking to help.

Training volunteers as well as staff in data protection is essential to ensure security is maintained, that users are protected, and to provide reassurance that the charity is adopting a robust approach to data protection – particularly important to the Trustees as they are accountable and liable for breaches.

In addition, the charity’s own policies and procedures should be distributed and explained to all volunteers without exception.  And finally, checks should be carried out on an ongoing basis to ensure that volunteers are adhering to the charity’s documented policies and procedures.

Data Compliant is pleased to offer face to face training, and / or  online data protection training  – in each case, covering the 8 principles of the Data Protection Act, Privacy and Electronic Communication Regulation, data security and information on the upcoming European General Data Protection Regulation (GDPR).

Data Compliant training courses are written in clear, easy language.  The online training includes relevant and engaging gamification, and is ideal for employees, volunteers and Trustees.  If you’d like more information, please email or call 01787 277742.

Victoria Tuffill, CEO Data Compliant