Technology company Yahoo Inc, has just disclosed that it is once again at the top of a league table that it would rather not be on at all. Only a few months after admitting that it had unknowingly leaked 500 million user account details two years ago, it has now reported that three years ago it had more than 1 billion user account details stolen from it.
Yahoo joins a string of now notorious names including FriendFinder Networks (412m), MySpace (360m) and eBay (145m) in losing customer details to hackers. Almost one in every seven people on earth has now had their personal details stolen from Yahoo. What is even more astounding is that it has taken Yahoo three years to discover this. Even now they did not find out about the breach themselves, but were informed by a law enforcement agency that their customer details were being touted around the internet and presumably had been for several years.
It is not only Yahoo that finds themselves in this not just embarrassing, but potentially catastrophic, situation. There are probably thousands of other companies in a similar position without even knowing it. Their networks have been breached, their customer details lost and they have been exposed to ruinous loss from customer who suffer financially as a result.
But it is not only their customers that businesses have to worry about. They also have to worry about the regulators. The new General Data Protection Regulation, being imposed by the EU, from 2018 will make it a mandatory requirement under EU law to disclose such a breach to the relevant regulator and to their customers. Ignorance will not be an excuse that satisfies the regulators, who will be able to impose fines of up to 4% of total revenue or $20m for non-compliance.
There are now many vendors offering Cyber Security as a Service software solutions to companies which can rapidly identify any breaches and plug the gaps in their defences. That is step one. But step two is to make sure that the C-suite is alerted to the issue without delay so that prompt action can be taken to notify customers and regulators and the issue is not hidden.
Here at Crises Control we have recognised this issue as a top priority business critical event that could not only disrupt, but also destroy, any business that does not take it seriously. That is why we have partnered with SaaS vendor ThreatSpike to integrate their leading edge network monitoring solution into our platform, so the C-suite can be assured they will find out about any breach as soon as it has been identified and then mandate the necessary action plan immediately.
If you are a C-suite executive, the cyber threat is the business risk keeping you awake at night. If it is not then it should be. Don’t delay, act now, you may already be compromised and you don’t even know it.