The UK’s Information Commissioners Office (ICO) has fined Yahoo £250,000 over the data breach the company experienced in 2014. The fine was issued to resolve serious violations of the Data Protection Act of 1998.
The 2014 data breach resulted in the exposure of more than 515,000 UK Yahoo email account holders’ data. The information exposed included customers’ names, birth dates, telephone numbers, email addresses, usernames, hashed passwords, and unencrypted/encrypted security questions and answers.
The UK subsidiary of Yahoo!, Yahoo UK Services Ltd, was responsible for the affected accounts and failed to take appropriate steps to secure the data, according to the ICO.
The investigation uncovered a slew of security failures. Yahoo UK Services Ltd had failed to implement appropriate technical and organizational safeguards to protect customer data and prevent data theft.
Yahoo UK Services Ltd passed customer data to its data processor, Yahoo! Inc, but failed to ensure appropriate data protection standards had been applied. Appropriate monitoring also did not take place to ensure the credentials of employees with access to customer data were protected. The lack of safeguards had gone undetected for a considerable period of time.
The failures were deemed to constitute a serious violation of Principle 7 of the Data Protection Act of 1998, which requires appropriate technical and organizational measures be implemented to protect customer data from unauthorised access and processing.
Had the breach occurred after May 25, 2018, when GDPR was in full effect, the potential fine would have been considerably higher. Under existing law, the maximum fine for Data Protection Act failures was £500,000. Under GDPR, the maximum fine would be €20,000,000 (£17,493,000) or 4% of global annual turnover, whichever is the greater.