IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Yahoo handed £250,000 fine over 2014 data breach

ICO punishes Yahoo's UK arm for failing to protect 515,000 Brits

Yahoo's UK branch has been handed a 250,000 fine by the Information Commissioner's Office (ICO) over the 2014 data breach which resulted in the theft of around 500 million people's personal data.

The regulator slammed the company's failure to apply adequate protections against the theft, and said that "the inadequacies found had been in place for a long period of time without being discovered or addressed".

In addition, the ICO also discovered that Yahoo's UK subsidiary had failed to ensure that its parent company was complying with the necessary data protection standards in its role as data processor, and had not properly monitored the security credentials of Yahoo employees with access to customer data in order to prevent misuse.

The incident in question was just one of several data breaches suffered by Yahoo, in which cyber thieves made off with information including dates of birth, phone numbers, names and email addresses. They also stole hashed passwords and security questions and answers in both encrypted and unencrypted forms.

A separate data breach dating back to 2013 was revealed last year to have affected all 3 billion Yahoo accounts, which a US judge ruled earlier this year the company would have to face legal action over.

Following a $4.4 billion acquisition, Yahoo is now part of the Verizon-owned Oath group, along with AOL.

The fine, which was levied against Yahoo! UK Services Limited rather than its global parent company, related specifically to the organisation's failure to protect the 515,000 UK-based accounts that were affected by the 2014 breach.

"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," ICO deputy commissioner of operations, James Dipple-Johnstone, said. "Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."

"We accept that cyber attacks will happen and as the cyber criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat."

Despite the fact that it took Yahoo two years to disclose the breach after it occurred, because the ICO's investigation began before the General Data Protection Regulation (GDPR) came into force, the watchdog is limited to a maximum fine of 500,000. Dipple-Johnstone warned that the law has now changed, and individuals have much stronger rights.

Something he did not mention was that the potential maximum penalties for companies who fail to take adequate measures to protect themselves and do not report breaches in a timely fashion - like Yahoo failed to in this case - are much more severe under the new rules. Maximum fines regulators can levy can hit 20 million or 4% of annual turnover, whichever is higher. For late breach notifications, the maximum fine is 10 million or 2% of turnover.

The ICO's 250,000 fine represents less than 0.4% of Yahoo UK's 2016 gross profit, which amounted to 69 million, according to data held by Companies House.

It's also substantially less than the record 400,000 fine that was handed to hacked telco TalkTalk, (and to Carphone Warehouse in a separate incident) despite the fact that the Yahoo breach affected around three times as many people in the UK alone.

This could represent the first of many fines for the search giant, however; Dipple-Johnstone said that other data protection authorities' and law enforcement bodies' investigations are still underway, which could spell more penalties on the horizon.

"As information commissioner Elizabeth Denham said in her recent speech at the National Cyber Security Centre, organisations need to do more than just shut the door," Dipple-Johnstone said. "They need to lock it. Then check the locks. But they must remember that it's no good locking the door if you leave the key under the mat."

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Most Popular

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023
Why energy efficient technology is key to a sustainable business

Why energy efficient technology is key to a sustainable business

16 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023