HomeInsightsInformation Commissioner fines Yahoo! £250,000 after systemic failures put customer data at risk

Article by

Yahoo! UK Services Ltd was fined following a cyber attack in November 2014. The incident was publicly disclosed in September 2016, almost two years after it had taken place.

Because of when the breach happened, the ICO’s investigation was carried out under the Data Protection Act 1998.

The ICO investigation considered the circumstances under which the personal data of approximately 500 million international users of Yahoo!’s services was placed at risk. In particular, the ICO focused on the 515,121 UK accounts, that Yahoo! UK Services Ltd had responsibility for as a data controller.

The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

In summary, the investigation found that:

  • Yahoo! UK Services Ltd failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorised persons;
  • the company failed to take appropriate measures to ensure that its data processor, Yahoo! Inc, complied with the appropriate data protection standards;
  • it also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and
  • the inadequacies found had been in place for a long period of time without being discovered or addressed.

The ICO considered the breach to be a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. Under the 1998 Act, the ICO has the power to impose a maximum fine of £500,000. The ICO said that the scale of the fine reflected Yahoo! UK Services Ltd’s specific responsibilities as a data controller and was limited in scope to the 515,121 customers of Yahoo! UK Services Ltd who were affected.

Under the new General Data Protection Regulation, the ICO has powers to impose much higher fines. To read the ICO press release in full, click here. To access the monetary penalty notice, click here.