The UK arm of internet giant Yahoo has been fined £250,000 ($335,000) by the UK Information Commissioner’s Office (ICO) due to the 2014 data breach that resulted in the theft of personal details belonging to over 500 million users.
Only publicly disclosed in September 2016, the cyber-attack from November 2014 was investigated under the UK’s Data Protection Act 1998 to determine that Yahoo! “failed to prevent unauthorized access” to its user’s personal data, ICO deputy commissioner of operations James Dipple-Johnstone said.
The investigation specifically focused on a total of 515,121 UK accounts that London-based Yahoo! UK Services Limited assumed responsibility for as a data controller.
The investigation discovered that Yahoo! UK had:
- Failed to take appropriate technical and organizational measures to protect customer data against data breaches.
- Failed to take the necessary measures to ensure its data processor, Yahoo! Inc., compiled with the necessary data protection standards.
- Failed to ensure appropriate monitoring to protect the internal credentials of Yahoo employees with access to Yahoo customer data, and;
- Failed to address the inadequacies over a long period of time.
Damningly, the official stated:
The failings of our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data. Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.
Further, the ICO, referenced the new GDPR laws, that enable individuals to have stronger control over their personal data, warning they would be “taking their business elsewhere” if companies did not properly users’ personal data.
“A number of investigations by other Data Protection Authorities and law enforcement agencies in relation to the data incident are ongoing,” the deputy commissioner added.
Image credit: Flickr.