Yahoo! UK Services Limited has been fined £250,000 by the UK data protection regulator, the Information Commissioner’s Office (ICO). The penalty is for a cyber-attack in November 2014, publicly disclosed in September 2016.
Because of when the breach happened, the ICO’s investigation was carried out under the Data Protection Act 1998; since the GDPR came into force in May 2018, the ICO has powers to fine offenders much more.
The ICO under the previous regime had powers of fining up to £500,000. Another fine on a par with this was TalkTalk’s £400,000 in October 2016. The ICO said it considered the circumstances under which the personal data of about 500 million international users of Yahoo!’s services was placed at risk. In particular, the ICO focused on the 515,121 UK accounts, that Yahoo! UK Services Limited – based in London – had responsibility for as a data controller.
The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. The regulator said the internet firm’s inadequacies had been in place for a long time without being discovered or addressed.
ICO Deputy Commissioner of Operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.
“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But as the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in. But they must also remember that it’s no good locking the door if you leave the key under the mat.”
For the finding in full visit the ICO website.
Comment
Tony Pepper, CEO and Co-Founder, Egress Software Technologies, said: “The Yahoo data breach is likely to go down in history as one of the most notorious – not just because of the scale of data subjects involved but because the company didn’t report the breach for two years. Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR as that legislation has much tougher consequences for a breach.
“As the ICO acknowledged in its findings, people expect organisations to keep their personal data safe. That means implementing technical and organisational measures to protect data against different types of breaches, including malicious and accidental. What’s more, should a breach occur, organisations need to take responsibility so that they can mitigate and report clearly on the impacts this will have on data subjects. The GDPR has forced most organisations to up their game in these respects, but any organisations that are still holding out will need to step up to avoid an ICO investigation themselves.”
