This article is more than 2 years old

This article is more than 2 years old

Yahoo has been fined £250,000 over a hack from 2014 that affected more than 515,000 UK email accounts co-branded with Sky, the Information Commissioner’s Office has announced.

The personal data of 500m user accounts worldwide was compromised during a state-sponsored cyber attack in 2014, which was only revealed in 2016. The stolen data included names, email addresses, telephone numbers, passwords and encrypted security questions and answers, the ICO said on Tuesday.

The ICO said the fine related to the impact on 515,121 accounts that were co-branded as Sky and Yahoo services in the UK, for which Yahoo! UK Services Ltd is the data controller.

The data protection watchdog said the internet firm had “failed to prevent” the Russia-sponsored hack, following an investigation carried out under the Data Protection Act 1998. James Dipple-Johnstone, ICO’s deputy operations commissioner, criticised “inadequacies” that had been in place for a long time at Yahoo without being “discovered or addressed”.

ICO said Yahoo had failed to take appropriate measures to prevent the theft of data and failed to ensure that data was processed by Yahoo’s US arm with appropriate data protection standards.

Dipple-Johnstone said: “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

Yahoo declined to comment. The firm has since been acquired by US cable operator Verizon and was merged with fellow original internet firm AOL to form Oath, an operator of various specialists sites and internet services.

“We accept that cyber-attacks will happen and as the cybercriminals get shrewder and more determined, the protection of data becomes even more of a challenge,” said Dipple-Johnstone. “However, organisations must take appropriate steps to protect the data of their customers from this threat.”

Yahoo also suffered a larger data breach in 2013 that affected 1bn accounts but it was only revealed in 2016, after the disclosure of the 2014 hack.