British data protection watchdog on Tuesday slammed a £250, 000 fine on Yahoo UK Services Ltd for a cyber-attack that occurred in November 2014.
Yahoo said that in 2016 at least 500 million of its accounts had been hacked two years earlier, Reuters reported.
The Information Commissioner’s Office (ICO) said it focused on the 515,121 UK accounts that London-based Yahoo UK Services oversaw as a data controller.
The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
The ICO investigation found Yahoo UK Services failed to protect the data and take steps to ensure parent Yahoo Inc complied with the appropriate data protection standards.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures,” ICO’s Deputy Commissioner of Operations James Dipple-Johnstone said.
“…it’s no good locking the door if you leave the key under the mat.”
The inadequacies found had been in place for a long period without being discovered or addressed, ICO added.
Yahoo’s European regulator has ordered it to make privacy changes following a probe into what it said was one of the largest ever data breaches to impact EU citizens.
Ireland’s Data Protection Commissioner, the lead European regulator on privacy issues for Yahoo, whose European headquarters are in Dublin, said last week Yahoo’s data processing operations did not meet standards required by EU law.
Yahoo UK did not immediately respond to a request for comment.