Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

UK! watchdog! slaps! Yahoo! with! £250k! fine! for! 2014! data! breach!

'Systemic failures' put Brit users' personal info at risk

Yahoo!'s UK limb has finally been handed a £250,000 fine for the 2014 cyber attack that exposed data of half a million Brit users.

Russian hackers broke into Yahoo!'s servers and slurped info on circa 500 million international account holders, including names, email addresses, phone numbers, birthdates, hashed passwords and encrypted or unencrypted security questions and answers.

Despite evidence that the firm knew about the mega-hack soon after it happened at the end of 2014, Yahoo! kept quiet until September 2016. Since then, the fines and court cases have kept rolling in as various regulators get in on the action.

Today, the Information Commissioner's Office issued Yahoo! UK Services Ltd a £250,000 fine following an investigation that focused on the 515,121 UK accounts that the London-based branch of the firm had responsibility for.

The ICO said "systemic failures" had put user data at risk as the UK arm of Yahoo! did not take appropriate technical and organisational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo! employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo!'s servers would be flagged for investigation.

It also noted that, as a data controller, Yahoo! UK services Ltd had a responsibility to ensure its processors – in this case Yahoo! Inc, whose US servers held the data on UK users – complied with data protection standards.

Although the UK has just ratified a new Data Protection Act, which implements the General Data Protection Regulation and comes with larger fines, this investigation was carried out under the Data Protection Act 1998.

This means the maximum fine can only be £500,000 – but today's penalty is by no means the toughest the ICO has handed out in recent years: both TalkTalk and Carphone Warehouse were fined £400,000 for breaches that exposed information on 156,959 and 3 million users' details respectively.

The ICO listed some mitigating factors in its decision notice, including that the exfiltrated data in the Yahoo! incident didn't include payment card or bank account info, as TalkTalk's did, and noted that it was a "sophisticated and persistent criminal attack, supported by the Russian Federal Security Service".

Nonetheless, ICO deputy commissioner of operations James Dipple-Johnstone said that cyber attacks were a fact of life and that companies had to keep up.

"As the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in," he said. "But they must also remember that it's no good locking the door if you leave the key under the mat."

Yahoo! UK Services Ltd – which is now a holding company of Verizon's Oath – has until 21 June to pay if it wants to take advantage of the 20-per-cent-off early-bird discount offered by the ICO. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like