Britain's data watchdog fines Yahoo £250000 for 2014 hack that impacted 515,000 UK accounts
Britain's data watchdog has fined Yahoo UK Services £250000 ($334,000) for the massive 2014 data breach that impacted over 515,000 UK email accounts. In 2016, Yahoo publicly revealed at least 500 million accounts were impacted in the breach that occurred in November 2014, exposing the personal data of millions of users across the globe.
The Information Commissioner's Office (ICO) said it focused its investigation on the approximately 515,121 email accounts of UK customers that Yahoo's London-based UK services oversaw as a data controller. The compromised data included names, email addresses, dates of birth, phone numbers, hashed passwords and encrypted or unencrypted security questions and answers.
In a statement on Tuesday (12 June), the ICO said Yahoo UK Services "failed to take appropriate technical and organizational measures" to protect users' data, did not comply with data protection standards and did not provide appropriate monitoring services to protect the credentials of employees with access to customer data.
"The inadequacies found had been in place for a long period of time without being discovered or addressed," the ICO added.
In 2016, Yahoo also disclosed it suffered another larger breach in 2013 that affected 1 billion accounts. However, it only publicly acknowledged the 2013 breach after the disclosure of the 2014 attack.
Yahoo has not issued a public comment in response to the latest fine. The firm was acquired by US cable giant Verizon last year and merged with AOL brands under a new subsidiary named Oath.
ICO’s Deputy Commissioner of Operations James Dipple-Johnstone said: "The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised."
The latest fine comes after the US Securities and Exchange Commission (SEC) fined Yahoo $35 million in April for failing to properly notify customers and investors of the major breach.
"Cyber-attacks will happen, that's just a fact, and we fully accept that they are a criminal act," Dipple-Johnstone added. "But as intruders become more sophisticated and more determined, organizations need to make it as difficult as possible for them to get in. But they must also remember that it's no good locking the door if you leave the key under the mat."