Earlier this week, the Information Commissioner's Office (ICO) announced that it had imposed a fine of £ 250,000 (more than ? 280,000) on Yahoo! UK Services Limited in the 2014 cyber attack.
For the British Cnil, Yahoo! UK Services Ltd did not take " appropriate technical and organizational measures "to protect the data of more than 500,000 users from" exfiltration by unauthorized persons. "
The ICO focused on the case of affected British users, when the cyber attack of November 2014 had affected half a billion Yahoo accounts. It was not revealed until September 2016.
For this same data leak, the American stock market policeman fined the former Yahoo (Altaba) an amount of 35 million dollars (nearly 30 million euros). The historical activities of Yahoo were bought in 2017 by Verizon and integrated into Oath with AOL. The remainder of Yahoo became the investment company Altaba.
" The shortcomings noted (note: in terms of security) had been in place for a long period of time without having been discovered or corrected "writes the ICO. After unveiling the 2014 cyber attack, Yahoo had revealed an even older cyber attack in 2013 and for all of the 3 billion accounts at the time.
Last month, a Canadian national was sentenced by the US courts to five years in prison for hacking into Yahoo in 2014. Three other Russian people were charged, two of whom worked for the Russian intelligence services.
In a press release, the ICO stresses that since its investigation, the legislation has changed, including with the entry into force of the European Data Protection Regulation (GDPR). After becoming aware of a personal data breach, companies have 72 hours to report it.