Yahoo has been fined £250,000 by UK privacy regulator the Information Commissioner’s Office (ICO) following a 2014 Russian state-sponsored attack which resulted in the compromise of 500 million accounts.
The incident, which was only reported two years later by the internet pioneer, led to the compromise of over 500,000 Yahoo UK accounts.
The personal data involved included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
According to reports the accounts were co-branded with Sky but Yahoo UK was the data controller and so had responsibility for their security under previous data protection laws.
The lengthy ICO investigation found that Yahoo UK “failed to take appropriate technical and organizational measures” to protect the data and ensure it complied with data protection standards. It also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo employees who had access to customer data.
These deficiencies were present in the company “for a long period of time” without being addressed, the ICO argued.
ICO deputy commissioner of operations, James Dipple-Johnstone, argued that organizations not only need to shut the door but also lock it and “check the locks.”
“Since our investigation, the law has changed. Under the General Data Protection Regulation and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data,” he added. “If organizations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere.”
Last year the Department of Justice charged two Russian FSB officers and hacker-for-hire Alexsey Belan for conspiring to break into Yahoo to obtain information on persons of interest to the Kremlin.
Also in 2017, Yahoo admitted that a previous 2013 breach of one billion accounts actually affected three times that amount.