Yahoo Charged £250,000 by ICO for 2014 Data Breach

June 17, 2018


The UK’s Information Commissioners Office (ICO) has charged Yahoo £250,000 over the data breach the firm experienced in 2014. The penalty was issued in order to settle grave breaches of the Data Protection Act of 1998.

The 2014 data breach led to the disclosure of more than 515,000 UK Yahoo electronic mail account holders’ data. The information disclosed included customers’ names, usernames, email addresses, hashed passwords, telephone numbers, birth dates, and unencrypted/encrypted safety questions as well as answers.

The United Kingdom branch of Yahoo!, Yahoo UK Services Ltd, was answerable for the affected accounts and failed to take proper actions to safeguard the data, as per the Information Commissioners Office.

The inquiry exposed a slew of safety failures. Yahoo UK Services Ltd had failed to apply correct technical as well as organizational safeguards in order to protect customer data and avoid data thievery.

Yahoo UK Services Ltd delivered customer data to its data processor, Yahoo! Inc., but failed to make sure correct data safety standards had been applied. Proper checking also did not happen to make sure the identifications of workers with access to client data were safeguarded. The lack of protections had gone unnoticed for a substantial period of time.

The failures were believed to constitute a grave breach of Principle 7 of the Data Protection Law of 1998, which needs proper technical as well as organizational actions to be implemented to safeguard customer data from illegal access and processing.

Had the breach happened after May 25, 2018, when GDPR was in full effect, the possible penalty would have been significantly higher. According to existing law, the maximum penalty for Data Protection Act failures was £500,000. According to GDPR, the maximum penalty would be €20,000,000 (£17,493,000) or 4% of international yearly income, whichever is the greater.