Yahoo! fined £250k over 2014 cyber-attack
The Information Commissioner’s Office (ICO) has set the fine at this level due to the severity of the data breach, it said.
In November 2014, Yahoo! suffered a cyber-attack which meant that account information such as names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, encrypted and unencrypted questions and answers were stolen.
But Yahoo! only revealed the data hack to its 500 million global users, including 515,121 UK account holders, in September 2016 – nearly two years after the site was compromised.
Following the revelation, the ICO carried out an investigation which found the following:
- Yahoo! UK Services Ltd failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against access by unauthorised persons
- The company failed to take appropriate measures to ensure that its data processor – Yahoo! Inc – complied with the appropriate data protection standards
- It failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data
- The inadequacies found had been in place for a long period of time without being discovered or addressed.
ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.
“As the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in. But they must also remember that it’s no good locking the door if you leave the key under the mat.”
He added that since the ICO investigation, data protection law has changed. The EU’s General Data Protection Regulation (GDPR) came into effect on 25 May 2018 which mean people have stronger rights and more control and choice over their personal data.
“If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere,” he said.
The ICO has the power to impose a maximum penalty of £500,000 under the Data Protection Act 1998 but under the new GDPR legislation, it can impose a maximum penalty of €20m or 4% of total worldwide turnover.
In October 2016, it fined TalkTalk £400,000 after security failings that allowed a cyber attacker to access customer data.