The UK ICO has hit Yahoo! UK Services Limited with a £250,000 fine for its 2014 data breach. It comes in at joint 7th on the ICO largest fine list. The fact that the data lost by Yahoo did not include credit card data is probably what kept the number low. Both Carphone Warehouse and Talk Talk who have been fined £400,000 in recent years did lose credit card data. Under the law in force at the time, the maximum fine could have been £500,000.
The judgement runs to 17 pages and sets out what the Commissioner took into account when setting out the fine. It revolves around two key failures to adhere to the seventh data protection principle. The two failures are:
- Yahoo! UK Service Limited failed to take appropriate technical and organisational measures to protect the personal data of the relevant customers against exfiltration by unauthorised persons. Yahoo! UK Services limited thereby breached the seventh data protection principle set out in Schedule 1 to the DPA (“DPP7”)
- Further of alternatively, Yahoo! UK Services Limited failed to take appropriate measures to ensure that its data processor, Yahoo! Inc., complied with standards equivalent to those imposed by the seventh data protection principle, and took appropriate steps to protect the personal data of the relevant customers against exfiltration by unauthorised persons. Yahoo! UK Services Limited thereby breached DPP7.
The judgement goes on to talk about other failures. These include the failure to correctly inform users of what would happen to their data. It also mentions that the since the breach, Yahoo! UK Services Limited is still unable to identify how employees credentials, that were used in the attack, were compromised.
What happened?
In 2014 Yahoo was hit by a major hacking attack that compromised its account management tool. Post that attack, Yahoo! UK Services Limited was hit by a second attack it credits to hackers sponsored by the Russian Federal Security Service. It is that attack this judgement deals with.
The hackers managed to exfiltrate, without anyone noticing, copies of 191 backup files from the main servers in the Yahoo network. The files contained personal data including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. Some of the data was encrypted, the majority was not.
The data losses originally went unnoticed by Yahoo! They only came to light after it was in negotiations with Verizon who eventually acquired it. The announcement of the data losses led Verizon to demand a reduction in the acquisition fee.
What does this mean
Given what is now known about the lack of data security at Yahoo, this is a result for the company. £250,000 is half of the maximum fine it could, and in many people’s view, should have faced. If it pays before 22 June 2018, it will receive a 20% discount.
The judgement also talks about the failure to establish written contracts with Yahoo! Inc to determine how data would be handled. This is something that many companies will need to take notice of. GDPR tightens responsibility on all parties irrespective of whether they are the data controller or the data processor. It will be interesting to see how many future judgements look at the relationships between those capturing and processing data.
According to Tony Pepper, CEO and Co-Founder, Egress Software Technologies: “The Yahoo data breach is likely to go down in history as one of the most notorious – not just because of the scale of data subjects involved but because the company didn’t report the breach for two years. Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR as that legislation has much tougher consequences for a breach.
“As the ICO acknowledged in its findings, people expect organisations to keep their personal data safe. That means implementing technical and organisational measures to protect data against different types of breaches, including malicious and accidental. What’s more, should a breach occur, organisations need to take responsibility so that they can mitigate and report clearly on the impacts this will have on data subjects. The GDPR has forced most organisations to up their game in these respects, but any organisations that are still holding out will need to step up to avoid an ICO investigation themselves.”