Yahoo’s European regulator has ordered it to make privacy changes following a probe into what it said was one of the largest ever data breaches to impact EU citizens.

Yahoo, most of whose assets were acquired by Verizon Communications Inc, said in 2016 that at least 500 million of its accounts had been hacked two years earlier by cyber thieves who may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords.

Ireland’s Data Protection Commissioner (DPC), the lead European regulator on privacy issues for Yahoo because the company’s European headquarters are in Dublin, said on Thursday that Yahoo’s data processing operations did not meet the standards required by EU law.

The breach affected around 39 million European users and was the largest the DPC has every investigated, it said.

It ordered the internet company to take specified actions, including ensuring that all its data protection policies take account of the applicable data protection law, and are reviewed and updated at defined regular intervals.

It also must update its data processing contracts and procedures associated with such contracts to comply with data protection law.

The DPC, which also regulates other online giants such as Facebook and Apple, was not able to fine the company for the breach. Under a new EU-wide data protection law that came into force last month, it can issue fines of up to 20 million euros or 4 percent of a company’s global turnover.

Topics Cyber Europe