Yahoo handed £250,000 fine over 2014 data breach

Yahoo's UK branch has been handed a 250,000 fine by the Information Commissioner's Office (ICO) over the 2014 data breach which resulted in the theft of around 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said that "the inadequacies found had been in place for a long period of time without being discovered or addressed".

In addition, the ICO also discovered that Yahoo's UK subsidiary had failed to ensure that its parent company was complying with the necessary data protection standards in its role as data processor, and had not properly monitored the security credentials of Yahoo employees with access to customer data in order to prevent misuse.

The incident in question was just one of several data breaches suffered by Yahoo, in which cyber thieves made off with information including dates of birth, phone numbers, names and email addresses. They also stole hashed passwords and security questions and answers in both encrypted and unencrypted forms.

A separate data breach dating back to 2013 was revealed last year to have affected all 3 billion Yahoo accounts, which a US judge ruled earlier this year the company would have to face legal action over.

Following a $4.4 billion acquisition, Yahoo is now part of the Verizon-owned Oath group, along with AOL.

The fine, which was levied against Yahoo! UK Services Limited rather than its global parent company, related specifically to the organisation's failure to protect the 515,000 UK-based accounts that were affected by the 2014 breach.

"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," ICO deputy commissioner of operations, James Dipple-Johnstone, said. "Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."

"We accept that cyber attacks will happen and as the cyber criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat."

Despite the fact that it took Yahoo two years to disclose the breach after it occurred, because the ICO's investigation began before the General Data Protection Regulation (GDPR) came into force, the watchdog is limited to a maximum fine of 500,000. Dipple-Johnstone warned that the law has now changed, and individuals have much stronger rights.

Something he did not mention was that the potential maximum penalties for companies who fail to take adequate measures to protect themselves and do not report breaches in a timely fashion - like Yahoo failed to in this case - are much more severe under the new rules. Maximum fines regulators can levy can hit 20 million or 4% of annual turnover, whichever is higher. For late breach notifications, the maximum fine is 10 million or 2% of turnover.

The ICO's 250,000 fine represents less than 0.4% of Yahoo UK's 2016 gross profit, which amounted to 69 million, according to data held by Companies House.

It's also substantially less than the record 400,000 fine that was handed to hacked telco TalkTalk, (and to Carphone Warehouse in a separate incident) despite the fact that the Yahoo breach affected around three times as many people in the UK alone.

This could represent the first of many fines for the search giant, however; Dipple-Johnstone said that other data protection authorities' and law enforcement bodies' investigations are still underway, which could spell more penalties on the horizon.

"As information commissioner Elizabeth Denham said in her recent speech at the National Cyber Security Centre, organisations need to do more than just shut the door," Dipple-Johnstone said. "They need to lock it. Then check the locks. But they must remember that it's no good locking the door if you leave the key under the mat."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.