The UK’s Information Commissioner (ICO) has fined Yahoo! UK Services Limited £250,000 for lapses related to a 2014 data breach that exposed personal data on roughly 500 million Yahoo users worldwide.
The compromised data included email addresses, names, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers, the ICO says.
The ICO noted that the incident was “publicly disclosed in September 2016, almost two years after it had taken place.”
The announcement follows the wrapping up of an investigation by the Irish Data Protection Commission (DPC) that found Yahoo’s data processing did “not meet the standard required by EU data protection law.” No financial penalty was set by the DPC
The ICO’s investigation determined that Yahoo “failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorized persons,” the ICO says.
In addition, Yahoo did not take measures to “ensure that its data processor – Yahoo! Inc. – complied with the appropriate data protection standards,” the ICO says.
The firm also lacked appropriate monitoring to protect the credentials of employees with access to customer data. The ICO continues that all these inadequacies had “been in place for a long period of time without being addressed.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised,” states James Dipple-Johnstone, the ICO’s deputy commissioner of operations.
The investigation was carried out under The Data Protection Act of 1998, not the GDPR.