UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach

An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.

So, about .50 GBP ...

[CaptainDork]

... per incident.

That's the damages? Seriously?

Massively cheaper than actual security

[gweihir]

Having some experience with large-corporation implementation of security mechanisms, I would guess this fine is at the very least 10x cheaper than what implementation of actual security would have cost. May as well be 100x or even 1000x. As long as this is the utterly pathetic and laughable reaction to a massive data breach caused by extremely bad security, nothing will change.