The Information Commissioner’s Office has fined Yahoo’s UK division £250,000 following an investigation into the theft of more than 500,000 UK users’ data in 2014.
A total of 500 million users’ data was compromised during the attack. It was followed by second, larger breach potentially affecting all three billion of the firms’ accounts.
In a damning statement, the ICO accused Yahoo UK Services Limited of failing to take appropriate technical and organisational measures to secure the data, comply with data protection standards and monitor the credentials of employees with access to the data.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised,” said deputy commissioner James Dipple-Johnstone.
The fine is one of the largest the ICO has ever issued and was made under the Data Protection Act 1998, which gave the regulator the power to businesses up to £500,000. But it is smaller than the £400,000 fine the regulator handed TalkTalk in 2016 and significantly smaller than the fines that could be issued under GDPR. The new regulator gives the ICO the power to organisations up to 4 per cent of their global turnover.
“As intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in,” said Dipple-Johnstone. “But they must also remember that it’s no good locking the door if you leave the key under the mat.”
Earlier this month, the Irish data protection watchdog that regulates Yahoo’s European operations ordered the firm to specific changes to the way it operates in the EU.
Verizon bought Yahoo’s digital properties last year for almost $4.5bn, combining it with Aol to form a new brand called Oath. In April, the US Securities and Exchange commission fined the company that owns Yahoo’s remains, Altaba, $35m in April failing to tell investors about the breach.
A Verizon spokesperson declined to comment.