UK Watchdog Issues $334K Fine For Yahoo's 2014 Data Breach

An anonymous reader quotes a report from The Register: Yahoo's U.K. limb has finally been handed a $334,300 (250,000 GBP) fine for the 2014 cyber attack that exposed data of half a million Brit users. Today, the Information Commissioner's Office issued Yahoo U.K. Services Ltd a $334,300 (250,000 GBP) fine following an investigation that focused on the 515,121 U.K. accounts that the London-based branch of the firm had responsibility for. The ICO said "systemic failures" had put user data at risk as the U.K. arm of Yahoo did not take appropriate technical and organizational measures to prevent a data breach of this size.

In particular, the watchdog said there should have been proper monitoring systems in place to protect the credentials of Yahoo employees who could access customer's data, and to ensure that instructions to transfer very large quantities of personal data from Yahoo's servers would be flagged for investigation. It also noted that, as a data controller, Yahoo U.K. services Ltd had a responsibility to ensure its processors -- in this case Yahoo, whose U.S. servers held the data on U.K. users -- complied with data protection standards.

Re:

[arglebargle_xiv]

That was my reaction as well. For USAians, there's a British expression "slap on the wrist with a wet bus ticket". This fine is a fine example of this.

So, about .50 GBP ...

[CaptainDork]

... per incident.

That's the damages? Seriously?

Re:

[mjwx]

... per incident.

That's the damages? Seriously?

The problem is if the UK or EU tries to fine them real money, Americans will get upset and cry that the evil Europeans are trying to punish American businesses.

Then they go on about some fantasy about what would happen if they picked up sticks and left... Which wont happen, the fantasy or the companies leaving.

Re:

[CaptainDork]

I have long felt that the EU should have kicked out the greedy sumbitches, opting to fabricate homegrown solutions.

A clever strategy would to wrap it, as the US is doing, in the "national security," blanket.

That's a reasonable fine for my data

[WillAffleckUW]

But what about all the other users?

Massively cheaper than actual security

[gweihir]

Having some experience with large-corporation implementation of security mechanisms, I would guess this fine is at the very least 10x cheaper than what implementation of actual security would have cost. May as well be 100x or even 1000x. As long as this is the utterly pathetic and laughable reaction to a massive data breach caused by extremely bad security, nothing will change.

Might want to check out some of the newest securit

[raymorris]

Based on the higher end you suggested, I wonder if you've looked at some of the newer security solutions that have come out in the last few years. As certain types of security solutions have been scaled, companies like Alert Logic now offer solutions at perhaps 1% of what similar things would have cost a few years ago.

Re:

[gweihir]

The higher end is for full custom, because nothing that fits is on the market. Also, remember Yahoo's size.

$355 total (most basic mom&pop security checkl

[raymorris]

We have several Fortune 50 customers, companies as big as Yahoo or bigger. Most of their security needs aren't that special. Securing a database isn't much different whether it has a 1,000 records or 100 million records. All the companies have their corporate email system, VPN, etc, that all need pretty much the same security treatment. The custom part is identifying the critical assets, a topic I shall return to shortly.

Several years ago, I owned a security company which specialized in serving VERY small w

Re:

[gweihir]

I do not dispute that where it can be done, a generic approach may be entirely appropriate. But there are IT landscapes were that is not possible and you need to go full custom at least in part. My estimate was for them and it does include costs on the customer side, not just what they pay to an external party.

As to salted MD5 to SHA-256, that is actually pretty simple in practice: If you need the protection now, you put both on top of each other, i.e. SHA-256(salt_new, MD5(salt, pwd)). The first time a cus

Just because it's impossible doesn't mean we don't

[raymorris]

That's cool you saw right away (or knew) *both* ways to convert. When I pose that question, a couple of people have thought of sha(md5(P)), but everyone insists it's impossible to actually convert md5(P) to sha(P). The more they know about cryptography, the more certain they are that it's impossible.

That's the thing about security - just because something is mathematically impossible doesn't mean we can't do it, or an attacker can't do it. Heat death of the universe blah blah, a well-worded phone call beat

You get what you pay for

[schwit1]

I've got a bridge to sell you if you were stupid enough to use a free service AND expect perfect security.

Re:

[hyades1]

And I've got a brand new word for you. "Egregious". You can look it up, if you like. Maybe you'll even be clever enough to figure out what it has to do with a corporation that makes a good buck selling SOME of your information, while implying through word and deed that the data you provide in return for its services will be respected.

Say it with me: "Egregious".

Chump change

[XSportSeeker]

A sub billion fine on a case like this is insulting, useless, and only incentivizes other companies to follow similar non-existant security practices.
Lets remember this wasn't only a small leak, but one of the biggest multiple leaks where the company purposedly hid for years the whole thing, allowed for it to happen multiple times over, and was unapologetic the entire time.

obComment

[cascadingstylesheet]

One Meeeelllion dollars!

Value?

[h8sg8s]

$334k is about the current value of Yahoo! Wonder if Verizon has buyer's remorse yet?