Regulators fined a British Yahoo subsidiary Tuesday for not disclosing a data breach four years ago that involved data of more than a half-million users.
Names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers were included in the 2014 breach.
James Dipple-Johnstone, deputy of operations at the Information Commissioner’s Office, said in a statement Tuesday the failings of Yahoo are not something that would be expected from a company large enough to avert such breaches.
“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But as the intruders become more sophisticated and more determined, organizations need to make it as difficult as possible for them to get in,” said Dipple-Johnstone. “But they must also remember that it’s no good locking the door if you leave the key under the mat.”
The ICO’s investigation, carried out under the Data Protection Act 1998, found that Yahoo UK Services Ltd. failed to take technical and organizational measures to protect the data of 515,121 users.
Yahoo ultimately disclosed the breach in 2016.
For the company’s delayed handling of the matter, it was fined nearly $335,000 Tuesday.
The Information Commissioner’s Office is a non-departmental British agency responsible for enforcing the Data Protection Act.
In April, federal regulators fined Yahoo owner Altaba $35 million for a different data breach in 2013 that affected all three billion of the company’s users.
By Susan McFarland