Yahoo has been fined £250,000 over a cyber-attack that may have breached more than eight million accounts in the UK, the Information Commissioner’s Office (ICO) has announced.
Personal data including names, email addresses, telephone numbers, passwords and encrypted security questions and answers were potentially compromised on about 500 million accounts worldwide during the hack, the ICO said on Tuesday.
The data protection watchdog said the internet giant had “failed to prevent” the Russia-sponsored hack that affected more than eight million accounts relating to UK addresses.
The ICO said the fine related to the 515,121 accounts which were co-branded as Sky and Yahoo services in the UK, for which Yahoo! UK Services Ltd is the data controller.
The breach was publicly disclosed in September 2016, nearly two years after it took place.
James Dipple-Johnstone, ICO’s deputy operations commissioner, criticised “inadequacies” that had been in place for a long time without being “discovered or addressed”.
The UK wing had “ample opportunity” to improve security and potentially prevent the breach, he said.
“We accept that cyber-attacks will happen and as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge,” Mr Dipple-Johnstone added.
“However, organisations must take appropriate steps to protect the data of their customers from this threat.”
Yahoo declined to comment on the investigation carried out under the Data Protection Act 1998.