Ireland’s Data Commissioner ‘urgently’ examining Yahoo hack

Tech giant says data from more than 1 billion accounts stolen in 2013 cyber attack

Yahoo said personal information including names, email addresses and security questions were all accessed by a “third-party” in the August 2013 breach.
Yahoo said personal information including names, email addresses and security questions were all accessed by a “third-party” in the August 2013 breach.

Ireland's Data Protection Commissioner has said it is "urgently" examining the facts of the latest Yahoo data breach after the company revealed one billion users had their information stolen in a 2013 cyber attack.

The commissioner’s office said in a statement on Thursday it had been updated on Wednesday evening by Yahoo EMEA, based in Dublin, on the latest developments.

“We are urgently examining the facts that have been made available to us in order to ascertain the further investigative questions we need to pose and steps to be taken in order to ultimately conclude if European data protection laws have been breached,” the office said.

“Yahoo EMEA is the Irish-based data controller for all European-based users of the Yahoo services and has obligations under Irish data protection laws to ensure any processor to which it transfers personal data (in this case to Yahoo Inc) provides sufficient guarantees in respect of the technical security measures governing the processing.”

READ MORE

Continuing investigation

The office said it was also continuing its investigation into Yahoo in relation to the data breach notified in September, including an examination of the latest information provided on that incident.

“We understand that Yahoo is issuing guidance to affected users. Users should take the actions outlined in that guidance.”

Yahoo, which is currently the subject of a $4.83 billion (€4.59 billion) takeover by telecoms giant Verizon, revealed on Wednesday that personal information including names, email addresses and security questions were all accessed by a "third-party" in the August 2013 breach.

It said no financial information was at risk.

The firm says it was contacted by law enforcement in November with a large number of data files that hackers had claimed was Yahoo user data.

“Based on further analysis of this data by the forensic experts, we believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo said.

It believed the attack was separate to the one it reported in September, which affected about 500 million users, but that the incident could have been carried out by the same “state-sponsored actor”.

Country breakdown

Yahoo has yet to disclose a country breakdown of how many accounts have been affected. However, the company has a range of services, including email, Tumblr, Flickr and Yahoo Finance, all of which are believed to be at risk.

Figures suggest the firm has about one billion active users, though many users have multiple or dormant accounts.

The 2013 breach was believed to be the world’s biggest known cyber breach by far.

(Additional reporting: PA)