State’s Data Protection Commissioner’s Office and US authorities to probe Yahoo breach

The Data Protection Commissioner’s Office has said it is joining forces with US authorities to co-ordinate their enquiries into the theft of information from at least 500m Yahoo users’ accounts.

The company said on Thursday that it believed a “state-sponsored actor” stole information including names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.

Yahoo’s European Headquarters are in Ireland, and the Data Protection Commissioner’s office yesterday confirmed that the company has made contact to notify it of the breach.


“We have raised a number of issues with Yahoo for which we are seeking further information and clarification. We are presently awaiting their response,” a spokesperson for the DPC said.

“Additionally, under a memorandum of understanding with the US Federal Trade Commission (FTC) facilitating co-operation between the two offices, the DPC is making contact with the FTC to co-ordinate our respective enquires.

“Yahoo has issued extensive guidance to affected users and this office recommends that users take the actions outlined in that guidance. We would also recommend that affected users carry out a malware check on their devices to protect against unauthorised third party access,” the spokesperson said.

Yahoo this week said the breach happened in late 2014.

The company said that the stolen information did not include unprotected passwords, payment card data, or bank account information, which is not stored in the system that was targeted.

A statement released by Yahoo added: “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”

Yahoo said it is notifying any potentially affected users and asking any users that have not changed their passwords in the last two years to do so.

Communications Minister Denis Naughten said there was no legal obligation for companies to report such breaches to the DPC, but a code of practice exists that encourages it.

“There are new laws coming into force from May 2018 which will oblige companies like Yahoo to report to the National Cyber Security Centre here in Ireland such breaches and the detail of them,” Mr Naughten told RTÉ News.

Mr Naughton urged the public to change their online passwords on a frequent basis and to use different passwords for different services.

Meanwhile US telecoms firm Verizon said in a statement it was only made aware of the breach “within the last two days”, despite agreeing a £3.7bn takeover of Yahoo’s core business in July.

“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the statement read.

“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment,” the company said.


Cupid must be something of a motoring enthusiast, as he had most definitely steered his way in the neighbourhood when Amie Gould and Shane O’Neill met at the Rally of the Lakes 12 years ago.Wedding of the Week: Cupid steers couple to right track

When it comes to podcasting, all it takes is one idea — and who knows where it can take you.Podcast Corner: Crimes and creatures rule at Cork’s first podcast fest

Claymation meets science fiction in this enchanting film, writes Esther McCarthy.Latest Shaun adventure is out of this world

After breaking through as a character with mental health issues in her hit TV series, Irish actress Aisling Bea is happy to take another step to stardom in a new Netflix comedy with Paul Rudd, writes Ed Power.Aisling Bea and Paul Rudd team up for new comedy

More From The Irish Examiner