Yahoo is fined £250,000 over Russia-sponsored cyber attack

Yahoo has been fined £250,000 over a Russian ‘state-sponsored’ cyber attack that may have breached more than eight million accounts in the UK.

Personal data including names, email addresses, telephone numbers, passwords and encrypted security questions and answers were potentially compromised on about 500 million accounts worldwide during the hack, the ICO said on Tuesday.

The data protection watchdog said the internet giant had ‘failed to prevent’ the Russia-sponsored hack that affected more than eight million accounts relating to UK addresses.

Yahoo has been fined over a hack on email accounts around the world, 500,000 in Britain

The ICO said the fine related to the 515,121 accounts which were co-branded as Sky and Yahoo services in the UK, for which Yahoo! UK Services Ltd is the data controller.

The breach was publicly disclosed in September 2016, nearly two years after it took place.

James Dipple-Johnstone, ICO’s deputy operations commissioner, criticised ‘inadequacies’ that had been in place for a long time without being ‘discovered or addressed’.

The UK wing had ‘ample opportunity’ to improve security and potentially prevent the breach, he said.

‘We accept that cyber-attacks will happen and as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge,’ Mr Dipple-Johnstone added.

‘However, organisations must take appropriate steps to protect the data of their customers from this threat.’

Former Yahoo! CEO Marissa Mayer is seen above in this 2014 file photo

Former Yahoo! CEO Marissa Mayer is seen above in this 2014 file photo

Yahoo declined to comment on the investigation carried out under the Data Protection Act 1998.

During the second half of 2016, Yahoo! reported two major data breaches perpetrated by hackers.

In September 2016, the company said that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world’s biggest known cyber breach by far.

Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said.

But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signaling that some of the most valuable user data was not taken.

In December 2016, it was learned that an even bigger breach took place in August 2013.

The company admitted that all three billion of Yahoo!’s users were affected by the 2013 data theft that the company originally said had only affected 1 billion users.

The additional two billion data theft victims came to light as Yahoo! was being integrated with Verizon, which bought the company in June for $4.5billion. 

The investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information.