Sunday, 24 March 2019
Latest news
Main » Yahoo fined £250,000 over cyber-attack

Yahoo fined £250,000 over cyber-attack

13 June 2018

Yahoo!'s United Kingdom limb has finally been handed a £250,000 fine for the 2014 cyber attack that exposed data of half a million Brit users.

Although the United Kingdom has just ratified a new Data Protection Act, which implements the General Data Protection Regulation and comes with larger fines, this investigation was carried out under the Data Protection Act 1998.

Nonetheless, ICO deputy commissioner of operations James Dipple-Johnstone said that cyber attacks were a fact of life and that companies had to keep up. UK Services Ltd, now part of USA telecoms giant Verizon, said the company "failed to take appropriate technical and organisational measures to protect the".

The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

The additional two billion data theft victims came to light as Yahoo! was being integrated with Verizon, which bought the company in June for $4.5billion.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo! employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo!

Dipple-Johnstone said: "The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop United Kingdom citizens' data being compromised".

Happily for Oath, GDPR does not apply historically because the UK's domestic regime only allows for maximum penalties of £500k.

Reputation wise is perhaps another matter.

Yahoo said it did not comment on regulatory action.

The fine is equivalent to just less than 50p for ever British user who was affected by the attack and follows another fine of $35m (£26m) issued by the US Securities and Exchange Commission.

Security is certainly now being generally pushed up the C-suite agenda for all organizations handling European Union data as a effect of GDPR concentrating minds on much more sizable legal liabilities.

The firm was investigated under the United Kingdom 1988 Data Protection Act which pre-dates the new European data regulation GDPR.

'We accept that cyber-attacks will happen and as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge, ' Mr Dipple-Johnstone added.