The ICO has fined Yahoo! UK Services Limited £250,000 after a cyber-attack in November 2014. The incident was not publicly disclosed until September 2016, at which point we began a detailed and complex investigation into the matter, focusing on the impacted UK user accounts. The investigation, carried out under the Data Protection Act 1998, found that Yahoo! had failed to prevent unauthorised access to the personal data of approximately 500 million international users of its services.Our investigation considered the circumstances under which that personal data came to be placed at risk. In particular, my office focused on the 515,121 UK accounts, that Yahoo! UK Services Limited – based in London - had responsibility for as a data controller.