Yahoo! handed £250k fine following a major data breach
After 4 long years, Yahoo! is finally handed a £250,000 fine for 2014 cyber attack which exposed the data of half a million British users.
Russian hackers broke into Yahoo!’s servers and took the personal information of 500 million international account holders, including names, email addresses, phone numbers, birthdates, hashed passwords.
Yahoo!, who knew about the hack not long after it happened in late 2014, didn’t report it until September 2016. Since then, fines and court cases have been raised by a number of regulators.
Yahoo! UK Services Ltd lucky to be issued fine under the Data Protection Act 1998
On the 12th June 2018, the Information Commissioner’s Office (ICO) issued Yahoo! UK Services Ltd with a £250,000 fine for the 515,121 UK accounts involved in the cyber attack.
The ICO has said that “systematic failures” caused user data to be put at risk and because the UK arm of Yahoo! failed to take appropriate action or have any organisational measures in place to prevent a data breach of this size.
This investigation was carried out under the Data Protection Act 1998 so, considering the size of the breach and keeping it quite for over two years; Yahoo! UK has actually been quite lucky to be handed such a light fine from the ICO. Had this been carried out under the General Data Protection Regulation, the UK arm of Yahoo! would have received a much larger penalty.
Under the Data Protection Act 1998, the maximum fine for a data breach can only be £500,000
ICO deputy commissioner of operations James Dipple-Johnstone said that cyber attacks were a fact of life and that companies had to keep up.
“As the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in,” he said. “But they must also remember that it’s no good locking the door if you leave the key under the mat.”