The decision on Tuesday comes less than a week after the Irish privacy watchdog, which is the lead authority for Yahoo in Europe, ordered the company to make “specified and mandatory” changes in the wake of one of the “biggest data breaches in history.” The U.K. Information Commissioner’s Office said Tuesday that the incident exposed the personal data of approximately 500 million international users of Yahoo’s services.
The revelation by Yahoo in 2016 that the personal information of about half a billion people was stolen in a 2014 attack on its accounts, was followed just a few months later by the news of a second major security breach that may have affected more than 1 billion user accounts.
“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop U.K. citizens’ data being compromised,” James Dipple-Johnstone, deputy commissioner of operations at the ICO, said in a statement.
Verizon Communications Inc. bought Yahoo last year for about $4.5 billion. The breaches threatened the deal, cost millions of dollars in legal fees and spurred more than 40 lawsuits in the U.S.