The UK’s Information Commissioner’s Office has fined Yahoo! £250,000 (US$333,000) as a result of offences relating to the internet giant’s 2014 data breach.
The cyber attack compromised the personal data of approximately 500 million users globally and the ICO’s ruling focused on around 500,000 email accounts operated by Yahoo! UK Services Limited.
The investigation found that Yahoo! had failed to take appropriate technical and organisational measures to protect customer data against unauthorised access or to ensure that its US parent and data processor – Yahoo! Inc – complied with appropriate data protection standards. The case was heard under the pre-GDPR regime where sanctions were much lower than the potential €20million fines under the new regulation. It should also be noted that Yahoo! did not announce the breach until 2016 - two years after the incident. The GDPR now includes breach notification obligations within 72 hours.
The ruling emphasises the need for multinational companies to ensure a joined-up global approach on data protection and demonstrates that European authorities will take enforcement action for international breaches. This is likely to increase with the wider territorial scope of the GDPR - and the increased sanctions that would apply if the incident had occurred today.
Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But as the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in. But they must also remember that it’s no good locking the door if you leave the key under the mat.