Yahoo! UK Services Limited has been fined £250,000 by the Information Commissioner’s Office (ICO) following a cyber-attack in November 2014. The incident was publicly disclosed in September 2016, almost two years after it had taken place.
Because of when the breach happened, the ICO’s investigation was carried out under the Data Protection Act 1998.
It considered the circumstances under which the personal data of approximately 500 million international users of Yahoo!’s services was placed at risk. In particular, the ICO focused on the 515,121 UK accounts, that Yahoo! UK Services Limited – based in London – had responsibility for as a data controller.
“Since our investigation, the law has changed. Under the General Data Protection Regulation and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere.
We accept that cyber-attacks will happen and as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat.”
– James Dipple-Johnstone, Deputy Commissioner of Operations, ICO
Under GDPR fines of up to €20 million, or 4% annual global turnover (whichever is higher) can be imposed. For the year 2017, Verizon the new owners of Yahoo! reported $126 billion in consolidated revenues (in 2014 it was $127.1 billion) meaning a GDPR fine could have been anything up to $5.04 billion or approximately £3.76 billion.