500 million accounts

I felt it was time to get back on the video saddle on a regular basis (famous last words). You can probably tell I’m rusty because the sound peaks are all off – I think the onboard mic on my Drift camera is a bit old.

But the big news has been around Yahoo and the massive breach. The first thing that came to my mind when reading about the breach was the fact that under a regulation like GDPR, there’s no way the details of the breach could have been kept hidden from the public for so long. According to article 33 – notification of a personal data breach to the supervisory authority,


  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.


That’s right – 72 hours.


And GDPR is no little slap on the wrist. Under the regulation, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater.


Given that in 2015 Yahoo’s revenue was reported as $4.968 billion (source: http://yahoo2015.tumblr.com) – a 2% fine would represent $99,360,000 – yep, just over 99 million.


That should cause every company facing GDPR implementation in 2018 reason to stop and think about the implications to itself.