File Photo
The UK Information Commissioner's Office (ICO) has fined Yahoo £250,000 over a data breach which occurred in 2014.
The data breach resulted in the theft of at least 500 million records[1]. It is believed that names, email addresses, telephone numbers, dates of birth, hashed passwords, and some "encrypted or unencrypted security questions and answers" were compromised.
Yahoo has blamed the incident on state-sponsored hackers but has not said which country may have been involved.
The data breach was disclosed two years later, in September 2016.
The delay gave threat actors ample time to do what they wished with user data and keeping customers in the dark for so long was unacceptable to UK regulators, who launched an investigation into the security failure.
The UK's data protection watchdog fined Yahoo £250,000 on Tuesday for failing to secure information belonging to UK customers, under which Yahoo had a responsibility as a data controller.
According to James Dipple-Johnstone[2], ICO Deputy Commissioner of Operations, an investigation carried out under the Data Protection Act 1998 found that Yahoo "failed to prevent unauthorized access to the personal data of approximately 500 million international users of its services."
Out of the 500 million exposed records, 515,121 accounts belonged to UK residents, under which Yahoo! UK Services is liable for failures to protect data under UK law.
"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," Dipple-Johnstone says. "Yahoo! UK Services had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."
According to the UK information watchdog, not only did Yahoo fail to take "appropriate technical and organizational measures" to