June 13, 2018 // 10:12 a.m.
The UK arm of once and former search giant Yahoo!, whose parent US operation was recently rebranded to Altaba following its acquisition by communications company Verizon, has received a £250,000 penalty from the Information Commissioner's Office (ICO) for security breaches disclosed in 2016.
Disclosed by the company in late 2016, the data breach was initially thought to affect a whopping 500 million customers before a second breach in December that year added another billion to the list. By February 2017 the company was still vulnerable to attack, and the news that the company had known of the original breach for two years before telling customers and had installed an insecure back-door into its email system for the US government gave its users little cause for sympathy.
Now, approaching two years after the first breach was disclosed, the Information Commission's Office (ICO) has weighed in with a £250,000 penalty - half the maximum penalty permissible by the Data Protection Act 1998, the law ICO opted to apply against the 2014 breach - for Yahoo UK Services Limited, the UK arm of the company now known as Altaba.
In its announcement of the penalty, an ICO representative summarised the investigation's findings as including that the company 'failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorised persons; the company failed to take appropriate measures to ensure that its data processor – Yahoo Inc – complied with the appropriate data protection standards; it also failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo employees with access to Yahoo customer data; [and] the inadequacies found had been in place for a long period of time without being discovered or addressed.'
The penalty, which is considerably smaller than the £25 million the US Securities and Exchange Commission (SEC) demanded for the same breach earlier this year, could have been much higher: The Data Protection Act 2018, which replaces the now-repealed Data Protection Act 1998, allows for penalties up to €20 million or four percent of a company's total annual turnover globally, whichever is higher, but was not in force during the 2014 breach nor Yahoo's 2016 disclosure of same.