The Data Protection Commissioner’s Office has said it is joining forces with US authorities to co-ordinate their enquiries into the theft of information from at least 500m Yahoo users’ accounts.
The company said on Thursday that it believed a “state-sponsored actor” stole information including names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
Yahoo’s European Headquarters are in Ireland, and the Data Protection Commissioner’s office yesterday confirmed that the company has made contact to notify it of the breach.
Yahoo blaming state-sponsored hackers for stealing information from about five hundred million users https://t.co/gVfoHrv6hI— RTÉ News (@rtenews) September 23, 2016
“We have raised a number of issues with Yahoo for which we are seeking further information and clarification. We are presently awaiting their response,” a spokesperson for the DPC said.
“Additionally, under a memorandum of understanding with the US Federal Trade Commission (FTC) facilitating co-operation between the two offices, the DPC is making contact with the FTC to co-ordinate our respective enquires.
“Yahoo has issued extensive guidance to affected users and this office recommends that users take the actions outlined in that guidance. We would also recommend that affected users carry out a malware check on their devices to protect against unauthorised third party access,” the spokesperson said.
Yahoo this week said the breach happened in late 2014.
The company said that the stolen information did not include unprotected passwords, payment card data, or bank account information, which is not stored in the system that was targeted.
A statement released by Yahoo added: “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Yahoo said it is notifying any potentially affected users and asking any users that have not changed their passwords in the last two years to do so.
Communications Minister Denis Naughten said there was no legal obligation for companies to report such breaches to the DPC, but a code of practice exists that encourages it.
“There are new laws coming into force from May 2018 which will oblige companies like Yahoo to report to the National Cyber Security Centre here in Ireland such breaches and the detail of them,” Mr Naughten told RTÉ News.
Mr Naughton urged the public to change their online passwords on a frequent basis and to use different passwords for different services.
Meanwhile US telecoms firm Verizon said in a statement it was only made aware of the breach “within the last two days”, despite agreeing a £3.7bn takeover of Yahoo’s core business in July.
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the statement read.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment,” the company said.
© Irish Examiner Ltd. All rights reserved