Yahoo has been served a fine by the Information Commissioner's Office (ICO) for £250,000, after a Russian cyber attack in 2014 left the data of some 500m users at risk.
The watchdog argued that the worldwide data breach left Yahoo in violation of the Data Protection Act 1998, with around 500,000 British account holders affected by the hack.
Yahoo, which has since been acquired by US telecoms firm Verizon and then merged with AOL to form Oath, labelled the attack as sponsored by the Russian state. Last year, authorities in the US prosecuted two hackers allegedly involved in the incident.
The breach involved personal information like names, email addresses, telephone numbers, birthdays, encrypted passwords and security questions, and is listed as one of the biggest global data hacks on the books so far.
The £250,000 price tag of the fine is rather small in comparison to similar fines served elsewhere to companies as a result of the hack, like the $35m (£26.1m) fine issued to Yahoos former holding company Altaba in the US, as UK domestic law places a cap on fines at £500,000.
In a statement, the ICO deputy commissioner of operations James Dibble-Johnstone said:
People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens data being compromised.
Those failings in question include:
A failure by Yahoo to ensure its data processor was compliant with the appropriate data protection standards;
That it had not taken measures to ensure data would be safe from exfiltration by unauthorised persons;
That it had appropriate monitoring in place to protect the credentials of its employees with access to user data;
And that the inadequacies found had been in existence for a long time before they were discovered or addressed.
The ICO said that Russian involvement in the incident as “a sophisticated and persistent criminal attack” had been a considered factor in the offices judgment when serving the fine.
Though the hack happened before Yahoo was acquired, Verizon knocked down its buying price of Yahoo by $350m as a result of the 2014 attack, and an earlier breach from 2013 which exposed the data of more than 1bn user accounts.
Dipple-Johnstone added: “Under the GDPR and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers personal data, they may find customers taking their business elsewhere.”