Yahoo's British subsidiary has been fined £250,000 by the UK's data watchdog after losing the data of more than half a million people.

The fine is equivalent to just less than 50p for ever British user who was affected by the attack and follows another fine of $35m (£26m) issued by the US Securities and Exchange Commission.

Although the data breach took place in 2014, Yahoo kept the loss of around 500 million international users quiet until 2016.

That data breach at Yahoo is just another in a long line of security woes at the company, which was acquired by Altaba in 2017 after a period of rapid decline.

Last year while under new ownership the company acknowledged that another data breach in 2013 affected all three billion of its users.


The Information Commissioner's Office (ICO) said that 515,121 accounts belonging to British users were compromised in the attack.

Because the data breach took place in 2014, the ICO said that it would be using the Data Protection Act 1998 which sets a maximum fine of £500,000, although the new EU-wide GDPR law allows companies to be fined up to 4% of their global turnover.

The ICO added that the company failed to take appropriate measures to ensure that users' data was properly secured.

Image: Marissa Mayer, Yahoo's former chief executive, did not disclose the breaches immediately

Yahoo's former chief executive, Marissa Meyer, did not reveal the breach after it took place in 2014 - something which companies would be obliged to do under the GDPR.

The compromised personal data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

The ICO's deputy commissioner of operations, James Dipple-Johnstone, said: "People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it.

"The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."

Mr Dipple-Johnstone added: "Cyber attacks will happen, that's just a fact, and we fully accept that they are a criminal act.

"But as the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in."