THE INFORMATION COMMISSIONER’S OFFICE (ICO) has slapped Yahoo with a £250,000 for a 2014 data breach that exposed the details of more than 500,000 UK citizens.
The ICO’s fine, which comes just weeks after the Securities and Exchange Commission (SEC) fined Yahoo $35m for failing to disclose the breach until September 2016, follows an investigation by the watchdog which concluded that the company “failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorised persons”.
This data, exposed in the mega-breach that affected 500 million Yahoo customers globally, included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
Yahoo also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data, the ICO said, adding that the company didn’t take appropriate measures to ensure it complied with the appropriate data protection standards.
Given these failings, the ICO concluded that the breach was “a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”
ICO Deputy Commissioner of Operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”
Yahoo hasn’t officially commented on the penalty but told TechCrunch that, since the breach, it’s doubled the size of the global security organization, created a cybersecurity advisory board and relaunch its bug bounty programme back in April. µ
Source : Inquirer