Yahoo! has been fined £250,000 by the UK’s Information Commissioner’s Office (ICO) over a cyber-attack that took place in 2014 and put data on 500 million customers at risk. The fine will be reduced to £200,000 if it’s paid before 21st June, 2018.
The attack was only disclosed by Yahoo! in 2016, two years after it took place. The fine has been imposed under The Data Protection Act 1998.
If the attack occurred following May 25th of this year, Yahoo! may have contravened the EU’s new General Data Protection Regulation (GDPR), under which the ICO can impose fines upwards of 20 million EUR or 4 percent of revenue (whichever is higher).
The maximum fine that can be imposed under The Data Protection Act 1998 is £500,000.
The attack took place in November and December 2014 and the compromised data consists of 191 backup files containing 500 million user records. The breach follows a previous breach from August 2013 which apparently compromised 3 billion Yahoo! accounts.
According to Yahoo!, the attack occurred because “attackers were able to obtain access to Yahoo systems by exploiting compromised credentials of Yahoo employees who were authorised to access those systems.”
The US Department of Justice indicted four individuals in connection with the attack — two Russian spies and two hackers. As a consequence of the attack, the two hackers generated cookies from Yahoo’s server that gave them access to 6,500 targeted users’ accounts.
According to a report from CBC, the Yahoo! accounts hacked include those of an assistant to the Deputy Chairman of Russia, Russian journalists, officials of states bordering Russia and US government workers.
In determining the extent to which Yahoo! contravened the Data Protection Act 1998, the ICO paid particular attention to the 515,121 Yahoo! accounts for which Yahoo! UK Services Limited is defined as the data controller.
The attack was against Yahoo Inc. servers based in the USA and, under the Data Protection Act 1998, it is deemed to be the data processor.
The personal information compromised in the attack includes names, email addresses, dates of birth, hashed passwords and security questions and answers (both encrypted and unencrypted).
In particular, the ICO has found that Yahoo UK contravened principle 7 of the Data Protection 1998 by “failing to take appropriate technical and organizational measures to protect the personal data of the relevant customers against exfiltration by unauthorized persons.”