Yahoo called on to share details of data breach with EU watchdogs

Out-Law News | 02 Nov 2016 | 4:48 pm | 2 min. read

Yahoo should disclose more details of the data breach it reported earlier this autumn, a committee of European data protection authorities (DPAs) has said in a letter to the internet giant.

Isabelle Falque-Pierrotin, chair of the Article 29 Working Party (WP29), said the watchdogs are "deeply concerned by the report" and that a "significant number" of EU-based consumers "may be affected" by the breach.

In September, Yahoo announced that it believed the personal data of at least 500 million Yahoo account holders was stolen in a "state-sponsored" cyber attack in late 2014. The data breach is reportedly the largest recorded in history.

Yahoo chief information security officer Bob Lord said at the time that data that might have been stolen includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

In writing to Yahoo chief executive Marissa Mayer on behalf of the Working Party, Falque-Pierrotin said (2-page / 140KB PDF) "it is of the utmost importance that Yahoo devote significant resources to understand, communicate and address all aspects of this unprecedented data breach and notify the adverse effects to the data subjects using the services that your company provides". She said "this must be carried out in a quick, comprehensive and easily understood manner so that Yahoo users across Europe will understand any action they need to take as a result of the breach".

Falque-Pierrotin said: "In particular, the WP29 is very much interested in the following information: the nature and content of the data concerned, the likely consequences of the breach, the number of people affected in each European country, the measures taken to notify the concerned data subjects and to mitigate the risks to the rights and freedoms of data subjects. On all these questions, we ask that you co-operate fully with any enquiries made and/or investigations conducted by independent national DPAs to ensure that there is a complete understanding of the extent of the breach and the remedial actions being taken by Yahoo in relation to it."

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind, predicted at the time the data breach was reported by Yahoo that the company would be likely to face scrutiny from data protection authorities over the incident.

Wynn said: "It is not only the security measures that Yahoo put in place to prevent a cyber attack, but also Yahoo's incident response procedures that are likely to come in for scrutiny by regulators. The authorities are likely to want to know why Yahoo is only now reporting the incident when it appears to have taken place more than 18 months ago and when there were reports earlier this summer about a possible breach."

Wynn said that having an internal breach reporting procedure is something organisations have been recommended to put in place by the UK's data protection authority, the Information Commissioner's Office (ICO). She said putting one in place can help businesses comply with their requirements to notify data breaches under the new General Data Protection Regulation (GDPR).