The ICO has taken the decision to fine Yahoo UK Services £250,000 for the data breach following a cyber attack in November 2014. The maximum permissible fine could have been double that.

It took Yahoo almost 2 Years to disclose the breach that compromised the personal data of more than 500 million users including their names, email addresses, telephone numbers, dates of birth, hashed passwords as well as security questions and answers (encrypted and unencrypted). 8 million of the compromised accounts belonged to UK citizens.

Although 500 million international users’ data was compromised, the ICO investigation focused on the 515,121 UK accounts that the firm’s UK division was responsible for and discovered the following:

  • Yahoo UK services failed to take appropriate technical and organisational measures to protect the data from unauthorised access.
  • The firm failed to ensure that it’s data processor (also Yahoo) complied with the data protection standards applicable by law.
  • Yahoo failed to ensure that the credentials of employees with access to customer data were monitored.
  • Yahoo failed to discover or address the flaws which had been present for a long time in their systems and resulted in the breach occurring.

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised,” explained ICO Deputy Commissioner of Operation, James Dipple-Johnstone.

Mr Dipple-Johnstone added, “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But as the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in. But they must also remember that it’s no good locking the door if you leave the key under the mat.”

If the breach were investigated under the GDPR the ramifications would likely have been much worse due to the magnitude of the breach and the time it took Yahoo to disclose the breach (2 Years!). Under the GDPR a breach of personal data must be reported within 72 hours. Due to the breach occurring in 2014, the governing law at the time was the Data Protection Act 1998, thus it seems that Yahoo has gotten off lightly.

Under the GDPR and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere,” Mr Dipple-Johnstone said.