Yahoo!'s UK limb has finally been handed a £250,000 fine for the 2014 cyber attack that exposed data of half a million Brit users.
Russian hackers broke into Yahoo!'s servers and slurped info on circa 500 million international account holders, including names, email addresses, phone numbers, birthdates, hashed passwords and encrypted or unencrypted security questions and answers.
Despite evidence that the firm knew about the mega-hack soon after it happened at the end of 2014, Yahoo! kept quiet until September 2016. Since then, the fines and court cases have kept rolling in as various regulators get in on the action.
Today, the Information Commissioner's Office issued Yahoo! UK Services Ltd a £250,000 fine following an investigation that focused on the 515,121 UK accounts that the London-based branch of the firm had responsibility for.
The ICO said "systemic failures" had put user data at risk as the UK arm of Yahoo! did not take appropriate technical and organisational measures to prevent a data breach of this size.
In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo! employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo!'s servers would be flagged for investigation.
It also noted that, as a data controller, Yahoo! UK services Ltd had a responsibility to ensure its processors – in this case Yahoo! Inc, whose US servers held the data on UK users – complied with data protection standards.
Although the UK has just ratified a new Data Protection Act, which implements the General Data Protection Regulation and comes with larger fines, this investigation was carried out under the Data Protection Act 1998.
This means the maximum fine can only be £500,000 – but today's penalty is by no means the toughest the ICO has handed out in recent years: both TalkTalk and Carphone Warehouse were fined £400,000 for breaches that exposed information on 156,959 and 3 million users' details respectively.
The ICO listed some mitigating factors in its decision notice, including that the exfiltrated data in the Yahoo! incident didn't include payment card or bank account info, as TalkTalk's did, and noted that it was a "sophisticated and persistent criminal attack, supported by the Russian Federal Security Service".
Nonetheless, ICO deputy commissioner of operations James Dipple-Johnstone said that cyber attacks were a fact of life and that companies had to keep up.
"As the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in," he said. "But they must also remember that it's no good locking the door if you leave the key under the mat."
Yahoo! UK Services Ltd – which is now a holding company of Verizon's Oath – has until 21 June to pay if it wants to take advantage of the 20-per-cent-off early-bird discount offered by the ICO. ®