(Bloomberg) — Yahoo! Inc. is set to be ordered to make changes as its chief privacy regulator in Europe wraps up a probe into one of the “biggest data breaches in history.”
The revelation by Yahoo last September that the personal information of about half a billion people was stolen in a 2014 attack on its accounts, was followed just a few months later by the news of a second major security breach that may have affected more than 1 billion user accounts.
Helen Dixon, Ireland’s data protection commissioner, said a probe by her office that’s “at the point of concluding” shows that Yahoo’s European unit is at least in part to blame for the 2014 incident.
“We’re of the view that it could have been detected sooner and the risks mitigated sooner,” Dixon said in a telephone interview with Bloomberg on Tuesday. “We intend to make our findings and impose remedial action.”
Under new European Union rules, from May 2018 Yahoo and any other companies being probed for serious privacy violations in Europe will face fines of as much as 4 percent of their global annual sales. Dixon’s office in Ireland will be the lead regulator for companies with EU bases there. This includes U.S. tech giants Facebook, Yahoo, Apple Inc., and LinkedIn Corp.
Yahoo’s U.K. press office didn’t immediately respond to a call and email seeking comment.
A separate investigation by the Irish regulator into Facebook Inc.’s stalled plans to leverage WhatsApp’s trove of customer data could see some results by the summer, said Dixon.
Concerning the Irish probe, “there wasn’t full clarity” from the companies on how this data exchange would work in practice and the regulator is now “examining significantly altered proposals from WhatsApp and Facebook,” she said.
Rejecting any criticism that her office has been too lax or lenient, Dixon said her office is in the process of expanding to build a “strong team” of about 100 people by the end of 2017 — up from some 20 just a couple of years ago.
While some European watchdog’s fining powers are minimal, most of the current 28 EU regulators have no powers to levy penalties at all. But come 2018, Dixon said she won’t shy away from making full use of the new powers her office will get.
“Clearly, talking about fines of 20 million or 4 percent of global turnover, we could anticipate they’re not going to be everyday type fines,” she said. “But there are going to be cases where there simply are mass-scale breaches that have significant effects on millions of users.”
“The only way to start driving a better compliance culture is to have those types of enforcement tools in our toolkit,” she said.