Britain fines Yahoo UK Services for 2014 email hack

Britain fines Yahoo UK Services for 2014 email hack
© Getty

Britain’s data watchdog on Tuesday fined Yahoo roughly $334,000 for its handling of a massive email cyberattack in 2014 that exposed the personal data of millions of users worldwide.

The Information Commissioner’s Office (ICO) focused its investigation on approximately 515,121 email accounts of United Kingdom (U.K.) customers, which Yahoo's London-based U.K. Services oversaw. 

The ICO in a blog post said Yahoo failed repeatedly to protect the personal data of its U.K.-based customers.

Yahoo failed to "take appropriate technical and organizational measures" to protect clients' data, did not comply with data protection standards at the time and did not provide appropriate monitoring services for Yahoo employees with access to customer data, it added. 

ADVERTISEMENT

The problems persisted "for a long period of time" without the company discovering or addressing them, the watchdog found.

“People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it," ICO Deputy Commissioner of Operations James Dipple-Johnstone said in a statement.

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

Earlier this year, a U.S. watchdog similarly fined Yahoo for its handling of the data breach — although it was a far more pricey penalty.

The U.S. Securities and Exchange Commission (SEC) in April issued a $35 million penalty after Yahoo failed to properly notify customers and investors that hackers had compromised hundreds of millions of user accounts.

Yahoo, which was rebranded after being purchased by Verizon last year, first learned about the cyber intrusion in December 2014, but did not alert the public until December 2016, according to the SEC’s order.

While Yahoo agreed to pay the charges without admitting or denying wrongdoing, this settlement marked the first time the SEC has pursued a company for failing to properly disclose a cyber breach. 

The data of approximately 500 million users globally were exposed in the breach, with cyber criminals gaining access to internal data such as usernames, email addresses, passwords, phone numbers and birthdates, as well as security questions and answers.