The Information Commissioner Office (ICO) of UK has imposed a fine of £250,000 on Yahoo’s UK Division for failing to notify the 2014 Cyber Attack on time. Yahoo! Officials notified the world about the hack in September 2016 i.e after two years of a data breach which was strictly against UK’s data protection standards.
In September 2016, Yahoo disclosed that data of more than 500 million global users were compromised in a data breach-which includes details of 515,121 UK account holders. The leaked data includes email addresses, names, phone numbers, date of births, hashed passwords and encrypted security questions and answers of some users.
When a probe was carried out by the ICO on Yahoo’s data breach, it was revealed that the leak took place as the web service provider failed to take appropriate technical and organizational measures. Also, appropriate monitoring measures were never put in place by Yahoo to protect the credentials of its users. ICO said that the inadequacies found were in place for a long period of time without being disclosed or addressed.
James Dipple, the Deputy Commissioner of Operations, ICO confirmed this issue in a statement released a couple of hours ago.
Mr. Dipple also added that since the latest EU General Data Protection Regulation(GDPR) came into effect on May 25th,2018, the populace of Britain now have stronger rights and more control and choice over their personal data.
Note 1- In October 2016, ICO imposed a fine of £400,000 on ‘TalkTalk’ as the company failed to keep its customer data isolated from hackers.
Note 2- In general, Information Commissioner’s Office of UK has the power to impose a fine of the maximum penalty of £500,000 under the Data Protection Act 1998. But if the modalities are worked out the data protection watchdog can also impose a maximum penalty of £20 million or 4% of a company’s annual turnover on a global note.