The UK Information Commissioner’s Office (ICO) has fined Yahoo £250,000 over a data breach which occurred in 2014.
The data breach resulted in the theft of at least 500 million records. It is believed that names, email addresses, telephone numbers, dates of birth, hashed passwords, and some “encrypted or unencrypted security questions and answers” were compromised.
Yahoo has blamed the incident on state-sponsored hackers but has not said which country may have been involved.
The data breach was disclosed two years later, in September 2016.
The delay gave threat actors ample time to do what they wished with user data and keeping customers in the dark for so long was unacceptable to UK regulators, who launched an investigation into the security failure.
The UK’s data protection watchdog fined Yahoo £250,000 on Tuesday for failing to secure information belonging to UK customers, under which Yahoo had a responsibility as a data controller.
According to James Dipple-Johnstone, ICO Deputy Commissioner of Operations, an investigation carried out under the Data Protection Act 1998 found that Yahoo “failed to prevent unauthorized access to the personal data of approximately 500 million international users of its services.”
Out of the 500 million exposed records, 515,121 accounts belonged to UK residents, under which Yahoo! UK Services is liable for failures to protect data under UK law.
“The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data,” Dipple-Johnstone says. “Yahoo! UK Services had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”
According to the UK information watchdog, not only did Yahoo fail to take “appropriate technical and organizational measures” to protect the data of 515,121 UK customers, but the company also “failed to take appropriate measures” in making sure that Yahoo Inc., the data processor, complied with data protection standards.
In addition, the ICO says that Yahoo failed to ensure monitoring was in place to protect the credentials of employees with access to the stolen data, and these security “inadequacies” were left for a “long period” without being addressed.
Despite the ICO’s penalty, Yahoo may have been fortunate.
The fine was limited to the UK customers affected, but now, the rules have changed with the arrival of the General Data Protection Regulation (GDPR).
It may be that the delay in reporting such a massive breach of data highlighted the need for change when the EU reviewed data protection standards and launched GDPR, creating the stipulation of a tight deadline on data breach disclosure — as well as tougher measures for breaking the rules.
Under GDPR, customers have more control over their data, and companies are now held to far higher standards in relation to data collection, management, control, and security.
We are yet to see a company fined under the new rules, but it is possible that future penalties could be far higher for firms with inadequate security measures and disclosure procedures.
“Organizations need to do more than just shut the door,” Dipple-Johnstone says. “They need to lock it. Then check the locks. But they must remember that it’s no good locking the door if you leave the key under the mat.”
A separate breach in 2013 exposed up to three billion accounts. According to the tech giant, threat actors were able to access accounts without passwords by stealing and tampering with Yahoo’s source code.
ZDNet has reached out to Yahoo and will update if we hear back.