12 June 2018
James Dipple-Johnstone, ICO Deputy Commissioner of Operations, says that while data protection law might now have changed, the case still provides important lessons for organisations in terms of protecting the public’s personal information and their legal rights.
People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it.
The ICO has fined Yahoo! UK Services Limited £250,000 after a cyber-attack in November 2014. The incident was not publicly disclosed until September 2016, at which point we began a detailed and complex investigation into the matter, focusing on the impacted UK user accounts.
The investigation, carried out under the Data Protection Act 1998, found that Yahoo! had failed to prevent unauthorised access to the personal data of approximately 500 million international users of its services.
Our investigation considered the circumstances under which that personal data came to be placed at risk. In particular, my office focused on the 515,121 UK accounts, that Yahoo! UK Services Limited – based in London - had responsibility for as a data controller.
In summary, our investigation found:
- Yahoo! UK Services Ltd failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorized persons;
- Yahoo! UK Services Ltd failed to take appropriate measures to ensure that its data processor – Yahoo! Inc – complied with the appropriate data protection standards;
- Yahoo! UK Services Ltd failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data;
- The inadequacies found had been in place for a long period of time without being discovered or addressed.
The scale of the fine reflects Yahoo! UK Services Ltd’s specific responsibilities as a data controller. It is limited in scope to the 515,121 customers of Yahoo! UK Services Ltd who were affected. A number of investigations by other Data Protection Authorities and law enforcement agencies in relation to the data incident are ongoing.
The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data. Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.
Since our investigation, the law has changed. Under the General Data Protection Regulation and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere.
We accept that cyber-attacks will happen and as the cyber-criminals get shrewder and more determined, the protection of data becomes even more of a challenge. However, organisations must take appropriate steps to protect the data of their customers from this threat.
The ICO will continue to work closely with our law enforcement and cyber-security partners to ensure that we also meet the challenges that the threat of malicious cyber-attacks present.
But organisations need to protect their customers and, as Information Commissioner Elizabeth Denham said in her recent speech at the National Cyber Security Centre (NCSC), organisations need to do more than just shut the door. They need to lock it. Then check the locks.
But they must remember that it’s no good locking the door if you leave the key under the mat.
We’ve published helpful guidance on the steps organisations can take to protect themselves. Our Guide to the GDPR includes content on security, and we’ve also worked closely with the NCSC to develop joint guidance on an approach organisations can take to put appropriate technical measures in place.