(Reuters) - Britain’s data watchdog said on Tuesday it fined Yahoo UK Services Ltd 250,000 pounds for a cyber-attack in November 2014.
Yahoo, most of whose assets were acquired by Verizon Communications Inc (VZ.N), said in 2016 that at least 500 million of its accounts had been hacked two years earlier.
The Information Commissioner’s Office (ICO) said it focused on the 515,121 UK accounts that London-based Yahoo UK Services oversaw as a data controller.
The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
The ICO investigation found Yahoo UK Services failed to protect the data and take steps to ensure parent Yahoo Inc complied with the appropriate data protection standards.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures,” ICO’s Deputy Commissioner of Operations James Dipple-Johnstone said.
“...it’s no good locking the door if you leave the key under the mat.”
The inadequacies found had been in place for a long period without being discovered or addressed, ICO added.
Yahoo’s European regulator has ordered it to make privacy changes following a probe into what it said was one of the largest ever data breaches to impact EU citizens.
Ireland’s Data Protection Commissioner, the lead European regulator on privacy issues for Yahoo, whose European headquarters are in Dublin, said last week Yahoo’s data processing operations did not meet standards required by EU law.
Yahoo UK did not immediately respond to a request for comment.
Reporting by Arathy S Nair in Bengaluru; Editing by Shounak Dasgupta