Yahoo! UK Services Limited has been fined £250,000 as a result of serious inadequacies in technical and organisational controls which lead to 515,121 customer details being stolen.
The Customer details included user names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted and unencrypted security questions. The personal details were removed from the servers of Yahoo!Inc in the US when an authorised transfer was made of 191 back up files containing the data from their network to a machine with a Russian IP address.
Attackers gained access by exploiting compromised credentials of Yahoo employees, possibly through a third party breach, phishing or social engineering attack.
The Commissioner found that Yahoo! UK Services Ltd, as the Data Controller, had failed to put appropriate technical and organisational controls in place, and had not taken sufficient steps to ensure that Yahoo! Inc, the Data Processor, complied with the principles and had put appropriate controls in place.
Technical and Organisational controls would have included appropriate monitoring systems to ensure credentials of employees were protected and to ensure that the transfer of large quantities of personal data was flagged for investigation before it was able to be implemented.
The Commissioner conclusion was that:-
‘It was the duty of Yahoo! UK Services Limited to ensure that appropriate measures were taken to protect its users’ personal data.’
Under the GDPR organisations need to demonstrate that they have technical and organisational controls in place and sufficient monitoring to identify potential data breaches.