Yahoo’s UK arm has been fined £250,000 ($335,000) by the UK Information Commissioner’s Office (ICO) over a data breach affecting more than 500 million users which took place in 2014.
The personal data of 500m user accounts worldwide was compromised during a state-sponsored cyber attack in 2014, which was only revealed in 2016. The stolen data included names, email addresses, telephone numbers, passwords and encrypted security questions and answers, the ICO said on Tuesday.
The ICO said the fine related to the impact on 515,121 accounts that were co-branded as Sky and Yahoo services in the UK, for which Yahoo! UK Services Ltd is the data controller.
The data protection watchdog said the internet firm had “failed to prevent” the Russia-sponsored hack, following an investigation carried out under the Data Protection Act 1998.
The ICO’s investigation also found:
- The firm failed to ensure that its Yahoo-owned data processor “complied with the appropriate data protection standards”
- It did not ensure that the credentials of employees with access to customer data were monitored
- There was “a long period of time” before the flaws which led to the breach were discovered or addressed
Yahoo declined to comment. The firm has since been acquired by US cable operator Verizon and was merged with fellow original internet firm AOL to form Oath, an operator of various specialists sites and internet services.
“We accept that cyber-attacks will happen and as the cybercriminals get shrewder and more determined, the protection of data becomes even more of a challenge,” said Dipple-Johnstone. “However, organisations must take appropriate steps to protect the data of their customers from this threat.”
Yahoo also suffered a larger data breach in 2013 that affected 1bn accounts but it was only revealed in 2016, after the disclosure of the 2014 hack.