Latest Yahoo data breach revelations a 'further cause for concern', says UK watchdog

Out-Law News | 10 Oct 2017 | 2:50 pm | 1 min. read

The UK's information commissioner has expressed her disappointment after Yahoo announced that three times as many accounts may have been affected by a data breach than previously thought.

Last December, Yahoo reported that more than one billion Yahoo customers' details had been compromised by hackers in a data breach incident that occurred in August 2013.

Now the company has said that the data of all of its approximate three billion account holders had been compromised in the attack. Yahoo is now part of Oath, a subsidiary of US telecoms giant Verizon, which completed its acquisition of Yahoo earlier this year.

"Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," a statement issued by the company said.

"While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement," it said.

UK information commissioner Elizabeth Denham, who is the country's data protection watchdog, said the announcement gave her office "further cause for concern".

"It is very disappointing to see the company is apparently still uncovering additional problems despite the length of time since the breach occurred," Denham said. "We are talking to Yahoo and have advised them to contact all customers affected as soon as possible. We continue to investigate alongside the relevant international authorities to ensure the data protection interests of UK customers are considered."

The August 2013 data breach suffered by Yahoo was the second major cyber incident that the company disclosed last year. In September 2016, Yahoo announced that it believed the personal data of at least 500 million Yahoo account holders had been stolen in a "state-sponsored" cyber attack in late 2014.

The 2014 data breach was thought at the time of disclosure to be the largest recorded in history. Yahoo's handling of that incident was closely observed by data protection authorities.