(Bloomberg) -- Yahoo was ordered to make “specified and mandatory” changes as its chief privacy regulator in Europe concluded a probe into one of the “biggest data breaches in history,” saying the U.S. tech firm hadn’t done enough to avoid leaks.

The oversight of the data processing operations by Yahoo failed to meet the standards required under EU law and the company “did not take sufficient reasonable steps” that ensure that the needed technical security and organizational measures were in place, the Irish data protection regulator said, according to a statement late last week.

“The data breach ranks as one of the largest breaches to impact EU citizens, affecting approximately 39 million European users,” the Irish authority said. “It is the largest breach which has ever been notified to and investigated” by the watchdog.

Yahoo is now part of Verizon Communications Inc.’s Oath internet unit. Oath declined to comment.

The revelation by Yahoo in 2016 that the personal information of about half a billion people was stolen in a 2014 attack on its accounts, was followed just a few months later by the news of a second major security breach that may have affected more than 1 billion user accounts.

Under new European Union rules in place since May 25, such violations could lead to fines of as much as 4 percent of a company’s global annual sales. The law applies to violations committed on or as of that date and not retro-actively. The office of Helen Dixon, the Irish privacy commissioner, is the lead regulator for companies with EU bases there, including Yahoo, Facebook Inc., Apple Inc. and LinkedIn Corp.

Bloomberg News