The U.K.’s data protection regulator has fined Yahoo’s U.K. division £250,000 (U.S. $331,203) following a cyber-attack in November 2014 that placed the personal information of over 500 million users at risk.

The Information Commissioner’s Office (ICO) also slammed the company for its decision to keep news of the attack secret for nearly two years, only disclosing it publicly in September 2016.

The ICO found that Yahoo’s U.K. arm failed to take appropriate technical and organisational measures to protect the data of 515,121 customers against exfiltration by unauthorised persons, and that the company failed to ensure appropriate monitoring was in place to protect the credentials of employees with access to Yahoo! customer data.

The regulator also found that Yahoo’s U.K. division failed to take appropriate measures to ensure that its data processor—parent company Yahoo Inc.—complied with the appropriate data protection standards.

Furthermore, “the inadequacies found had been in place for a long period of time without being discovered or addressed,” said the ICO.

The compromised personal data included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

Yahoo has declined to comment on the case.

Carolyn Bertin, IT and privacy lawyer at law firm Keystone Law, says that the ICO’s decision indicates that U.K. organisations with significant operations outside of the United Kingdom and the European Economic Area in countries that are not deemed adequate by the European Commission, such as the United States, “must put in place measures to ensure the lawful transfer to and processing in those countries.”

As the cyber-attack occurred before the EU’s General Data Protection Regulation (GDPR) came into force on 25 May, Yahoo could only be sanctioned under the U.K.’s Data Protection Act 1998, with the power to impose a maximum £500,000 (U.S. $662,408) penalty—significantly less than the maximum set penalty of €20 million (U.S. $27M), or 4 percent of global revenues permitted under GDPR.

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures and potentially stop U.K. citizens’ data being compromised.”
James Dipple-Johnstone, Deputy Commissioner of Operations, ICO

The ICO says that the fine is one of the most significant it has levied for a data protection breach. But it is not the highest—that dubious privilege is jointly shared by telecoms provider Talk Talk, which was fined £400,000 (U.S. $529,926) in October 2016, and mobile phone seller Carphone Warehouse in January 2018 (the company, now called Dixons Carphone, is again in hot water this week after admitting a huge data breach involving 5.9 million payment cards and 1.2 million personal data records from last July).

ICO Deputy Commissioner of Operations, James Dipple-Johnstone, said in a blog: “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures and potentially stop U.K. citizens’ data being compromised.”

While the ICO may feel that the £250,000 fine is “significant”, lawyers and data experts believe that the company has “dodged a bullet.”

Robert Wassall, data protection lawyer and head of legal services at ThinkMarble, points out that since Yahoo was fined 50 percent of the maximum penalty available under the Data Protection Act, on a “like for like” basis under GDPR, that could equate to €10 million (U.S. $13M). Alternatively, if based on a percentage of Yahoo’s U.S. $5.17 billion revenues for 2016, that could mean a fine of U.S. $206.8 million, says Iain Jenkins, GDPR expert at Blacks Solicitors.

Kate Brimsted, U.K. head of data privacy and cyber-security at law firm Bryan Cave Leighton Paisner, says that the maximum penalty could be even higher than that.

“The maximum fines under GDPR are set at the higher of 4 percent annual global turnover or €20 million. But the assessment is on an ‘undertaking’ basis, not a company basis,” says Brimsted. “This means that—depending on the facts—the level could be based on multiple companies’ or even a whole group’s turnover which could be very substantial indeed.”

She adds that deliberate non-disclosure will probably be viewed very seriously under GDPR and is likely to be regarded as a separate breach in its own right and/or seen as a lack of cooperation with the regulator, which “could be expected to increase the overall level of fine.”