12 June 2018 : Yahoo fined for data breach

The Information Commissioner’s office (ICO) has fined Yahoo £250,000 over a data breach, following a cyber attack which occured in 2014. Because the incident pre-dates the GDPR, the ICO’s investigation was carried out under the Data Protection Act 1998.

The data breach resulted in the theft of personal data of 500 million individuals. It is believed that names, email addresses, telephone numbers, dates of birth, hashed passwords, and some “encrypted or unencrypted security questions and answers” were compromised.

In a blog post concerning the ICO investigation, ICO Deputy Commissioner of Operations James Dipple-Johnstone said:

People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings of our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop a UK citizens’ data being compromised.

Of the 500 million compromised records, 515,121 accounts belonged to UK residents, under which Yahoo UK Services Ltd is responsible for any failures to protect data under UK law. Despite evidence that the company knew about the breach shortly after it happened at the end of 2014, Yahoo did not openly disclose the incident until September 2016.

Yahoo fined for data breach
Yahoo fined for data breach

‘One of the most notorious’

Aprroximately eight million of the compromised accounts are believed to belong to individuals in the United Kingdom.

The ICO investigation also found:

  • The firm failed to ensure that its Yahoo-owned data processor “complied with the appropriate data protection standards”
  • It did not ensure that the credentials of employees with access to customer data were monitored
  • There was “a long period of time” before the flaws which led to the breach were discovered or addressed

In 2017 Verizon acquired Yahoo and merged it with AOL, to form a new company called Oath.  The firm was investigated under the former UK 1988 Data Protection Act which pre-dates the new GDPR.  CEO of Egress Software Technologies, Tony Pepper was quoted as saying that the data breach would be remembered as “one of the most notorious” – because of its size and the 2 year period between the attack and the report.

“Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR which has much tougher consequences for a breach,” said Tony Pepper.

With approximately 679,000 results for the search term Yahoo fined for data breach this has been one of the biggest news stories around GDPR so far. Another shocking data breach story here.

Leave a Reply