Yahoo handed £250,000 fine over 2014 data breach

ICO punishes Yahoo's UK arm for failing to protect 515,000 Brits

Yahoo's UK branch has been handed a 250,000 fine by the Information Commissioner's Office (ICO) over the 2014 data breach which resulted in the theft of around 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said that "the inadequacies found had been in place for a long period of time without being discovered or addressed".

In addition, the ICO also discovered that Yahoo's UK subsidiary had failed to ensure that its parent company was complying with the necessary data protection standards in its role as data processor, and had not properly monitored the security credentials of Yahoo employees with access to customer data in order to prevent misuse.

The incident in question was just one of several data breaches suffered by Yahoo, in which cyber thieves made off with information including dates of birth, phone numbers, names and email addresses. They also stole hashed passwords and security questions and answers in both encrypted and unencrypted forms.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A separate data breach dating back to 2013 was revealed last year to have affected all 3 billion Yahoo accounts, which a US judge ruled earlier this year the company would have to face legal action over.

Following a $4.4 billion acquisition, Yahoo is now part of the Verizon-owned Oath group, along with AOL.

The fine, which was levied against Yahoo! UK Services Limited rather than its global parent company, related specifically to the organisation's failure to protect the 515,000 UK-based accounts that were affected by the 2014 breach.

"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," ICO deputy commissioner of operations, James Dipple-Johnstone, said. "Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."

"We accept that cyber attacks will happen and as the cyber criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat."

Despite the fact that it took Yahoo two years to disclose the breach after it occurred, because the ICO's investigation began before the General Data Protection Regulation (GDPR) came into force, the watchdog is limited to a maximum fine of 500,000. Dipple-Johnstone warned that the law has now changed, and individuals have much stronger rights.

Advertisement - Article continues below

Something he did not mention was that the potential maximum penalties for companies who fail to take adequate measures to protect themselves and do not report breaches in a timely fashion - like Yahoo failed to in this case - are much more severe under the new rules. Maximum fines regulators can levy can hit 20 million or 4% of annual turnover, whichever is higher. For late breach notifications, the maximum fine is 10 million or 2% of turnover.

The ICO's 250,000 fine represents less than 0.4% of Yahoo UK's 2016 gross profit, which amounted to 69 million, according to data held by Companies House.

It's also substantially less than the record 400,000 fine that was handed to hacked telco TalkTalk, (and to Carphone Warehouse in a separate incident) despite the fact that the Yahoo breach affected around three times as many people in the UK alone.

This could represent the first of many fines for the search giant, however; Dipple-Johnstone said that other data protection authorities' and law enforcement bodies' investigations are still underway, which could spell more penalties on the horizon.

"As information commissioner Elizabeth Denham said in her recent speech at the National Cyber Security Centre, organisations need to do more than just shut the door," Dipple-Johnstone said. "They need to lock it. Then check the locks. But they must remember that it's no good locking the door if you leave the key under the mat."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/data-protection/354492/currys-pc-world-parent-firm-hit-with-ps500k-fine-over
data protection

Currys PC World parent firm hit with £500k fine over historic data breach

9 Jan 2020
Visit/security/ransomware/354483/travelex-disruption-caused-by-devastating-ransomware-attack
ransomware

Travelex disruption caused by devastating ransomware attack

8 Jan 2020