Yahoo fined £250,000 for hack that impacted 515,000 UK accounts

ICO says firm ‘failed to prevent’ 2014 Russia-sponsored hack after 500m accounts compromised

Yahoo has been fined £250,000 over a hack from 2014 that affected more than 515,000 UK email accounts co-branded with Sky, the Information Commissioner’s Office has announced.

The personal data of 500m user accounts worldwide was compromised during a state-sponsored cyber attack in 2014, which was only revealed in 2016. The stolen data included names, email addresses, telephone numbers, passwords and encrypted security questions and answers, the ICO said on Tuesday.

The ICO said the fine related to the impact on 515,121 accounts that were co-branded as Sky and Yahoo services in the UK, for which Yahoo! UK Services Ltd is the data controller.

The data protection watchdog said the internet firm had “failed to prevent” the Russia-sponsored hack, following an investigation carried out under the Data Protection Act 1998. James Dipple-Johnstone, ICO’s deputy operations commissioner, criticised “inadequacies” that had been in place for a long time at Yahoo without being “discovered or addressed”.

ICO said Yahoo had failed to take appropriate measures to prevent the theft of data and failed to ensure that data was processed by Yahoo’s US arm with appropriate data protection standards.

Dipple-Johnstone said: “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

Yahoo declined to comment. The firm has since been acquired by US cable operator Verizon and was merged with fellow original internet firm AOL to form Oath, an operator of various specialists sites and internet services.

“We accept that cyber-attacks will happen and as the cybercriminals get shrewder and more determined, the protection of data becomes even more of a challenge,” said Dipple-Johnstone. “However, organisations must take appropriate steps to protect the data of their customers from this threat.”

Yahoo also suffered a larger data breach in 2013 that affected 1bn accounts but it was only revealed in 2016, after the disclosure of the 2014 hack.


Samuel Gibbs

The GuardianTramp

Related Content

Article image
Largest collection ever of breached data found
Store of 770m email addresses and passwords discovered after being put on hacking site

Alex Hern

17, Jan, 2019 @5:31 PM

Article image
How the growing Russian ransomware threat is costing companies dear
With KP Snacks the latest cyber-attack victim, firms must learn to defend themselves against a mounting menace

Rob Davies and Dan Milmo

05, Feb, 2022 @10:00 AM

Article image
Twitter to clear out inactive accounts and free up usernames
Company has been criticised for handling of move it says will reduce risk from hacking

Alex Hern

27, Nov, 2019 @2:34 PM

Article image
Shadow Brokers threaten to unleash more hacking tools
Group linked to NSA cyberwarfare tools used in ransomware attack threatens to set up ‘wine of the month’-style service

Samuel Gibbs

17, May, 2017 @11:56 AM

Article image
Outsourcer Interserve fined £4.4m for failing to stop cyber-attack
Watchdog says phishing email enabled hackers to steal personal information of 113,000 employees

Mark Sweney

23, Oct, 2022 @11:01 PM

Article image
'All wifi networks' are vulnerable to hacking, security expert discovers
WPA2 protocol used by vast majority of wifi connections has been broken by Belgian researchers, highlighting potential for internet traffic to be exposed

Alex Hern

16, Oct, 2017 @8:33 AM

Article image
White House says FBI is investigating hack of 1bn Yahoo user accounts
Victims of the largest data breach in history, which took place in 2013 but was just revealed this week, include FBI, CIA, NSA and White House workers

Sam Thielman, David Smith and agencies

15, Dec, 2016 @6:47 PM

Article image
Cabinet Office fined £500,000 over New Year honours list data breach
Regulator says safety of hundreds of individuals was jeopardised after their addresses were posted online

Dan Milmo Technology editor

02, Dec, 2021 @12:46 PM

Article image
Investigatory powers bill: snooper's charter to remain firmly in place
Legislation will enshrine security services’ licence to hack, bug and burgle their way across the web – with judicial oversight still to be determined

Alan Travis Home affairs editor

02, Nov, 2015 @7:23 PM

Article image
Yahoo faces questions after hack of half a billion accounts
The company has confirmed that the breach took place in 2014 but its statement left pressing questions unanswered

Alex Hern

23, Sep, 2016 @10:33 AM