The Yahoo UK division has been fined £250,000 ($335,000) by the Information Commissioner’s office due to the data breach that took place in 2014. The incident was reported two years later. The company said that the hackers who stole the personal information which included names unencrypted security questions were state-sponsored. The Information Commissioner’s office said that the company failed to take the necessary measures in order to protect the data of its users.
The Yahoo UK division has been fined £250,000 ($335,000) by the Information Commissioner’s office due to the data breach that took place in 2014. The incident was reported two years later. The company said that the hackers who stole the personal information which included names unencrypted security questions were state-sponsored. The Information Commissioner’s office said that the company failed to take the necessary measures in order to protect the data of its users.
“The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data,” wrote deputy commissioner of operations James Dipple-Johnstone in a blog. “Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”
More than 8 Million accounts affected were UK citizens, the ICO’s investigation also found that the firm failed to ensure that the customer data which was sufficiently encrypted. The company didn’t even monitor employees who had access to the user data.
Verizon has acquired Yahoo in 2017 and AOL before that to combine both companies and name it Oath. The company was investigated under the UK 1988 Data Protection Act which pre-dates the new European GDPR. The CEO of Egress Software Technologies Tony Pepper said that the breach would go down in history as one of the biggest because of its size and two year period between the attack and admission report.
“Although the fine has been a long time to come, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than GDPR which has much tougher consequences for a breach,” he said.
Companies should take GDPR seriously as it is will improve the privacy for many.