We now discover that Yahoo knew they were being hacked in 2014 but chose not to tell anybody. They delayed telling their customers until a hacker disclosed that they had obtained Yahoo customer's data.
Description of Event
On September 22, 2016, we disclosed that, based on an ongoing investigation, a copy of certain user account information for at least 500 million user accounts was stolen from Yahoo’s network in late 2014 (the “Security Incident”). We believe the user account information was stolen by a state-sponsored actor. The user account information taken included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. Our investigation to date indicates that the stolen information did not include unprotected passwords, payment card data, or bank account information. Payment card data and bank account information are not stored in the system that the investigation found to be affected. Based on the investigation to date, we do not have evidence that the state-sponsored actor is currently in or accessing the Company’s network.
In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders.
The Company, with the assistance of outside forensic experts, continues to investigate the Security Incident and related matters. The Company is actively working with U.S. law enforcement authorities on this matter.
As described above, the Company had identified that a state-sponsored actor had access to the Company’s network in late 2014. An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed, the Company’s security measures, and related incidents and issues.
In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information.
Separately, on November 7, 2016, law enforcement authorities began sharing certain data that they indicated was provided by a hacker who claimed the information was Yahoo user account data. Yahoo will, with the assistance of its forensic experts, analyze and investigate the hacker’s claim that the data is Yahoo user account data.
The EU Watchdogs have sent the letter below to Yahoo:
"ARTICLE 29 Data Protection Working Party
This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
The secretariat is provided by Directorate C (Fundamental rights and rule of law) of the European Commission, Directorate
General Justice and Consumers, B-1049 Brussels, Belgium, Office No MO59 02/27
Brussels, 27 October 2016
Dear Ms Mayer,
On 22 September 2016, in a message posted on Tumblr, Bob Lord, the Chief Information
Security Officer of Yahoo Inc., announced that according to
recent internal investigations, the personal data related to at least 500 million user
accounts of Yahoo Inc. were stolen in 2014. It is understood that this
includes the personal data of a substantial number of individuals in the European Union.
Following this announcement, Yahoo notified the violation to certain data protection
authorities in Europe.
As Data Protection Authorities (DPAs) in charge of the protection of European
individuals’ data, we are deeply concerned by the report and the significant number of
EU data subjects which may be affected.
Therefore, it is of the utmost importance that Yahoo devote significant resources
to understand, communicate and address all aspects of this unprecedented data breach
and notify the adverse effects to the data subjects using the services that your company
provides. This must be carried out in a quick, comprehensive and easily understood
manner so that Yahoo users across Europe will understand any action they need to take
as a result of the breach. In particular, the WP29 is very much interested in the following
information: the nature and content of the data concerned, the likely consequences of
the breach, the number of people affected in each European country, the measures taken
to notify the concerned data subjects and to mitigate the risks to the rights and freedoms
of data subjects.
On all these questions, we ask that you co-operate fully with any enquiries made and/or
investigations conducted by independent national DPAs to ensure that there is a
complete understanding of the extent of the breach and the remedial actions being taken
by Yahoo in relation to it. You may have noted that the WP29 has agreed, at the last
Plenary, to dedicate a working group for enforcement actions on organisations targeting
several member states. Your data breach will be naturally discussed within this group.
In addition, the WP29 was also informed that Yahoo has scanned customer emails for US intelligence purposes at the request of US intelligence agencies. According to reports, in 2015 Yahoo searched all of its customers’ incoming emails for specific information requested by US intelligence officials.
The reports are concerning to WP29 and it will be important to understand the legal basis and justification for any such surveillance activity, including an explanation of how this is compatible with EU law and protection for EU citizens.
Finally, the Article 29 Working Party expresses its support for the actions being taken or which may be taken by competent independent national authorities in respect of these issues.
We ask you to provide your response on the two aforementioned issues to the Chair of the WP29 (PresidenceG29@cnil.fr).
On behalf of the Article 29 Working Party,
The rest of the world seems to be tackling Yahoo about the hack but BT and the UK ICO seem to be doing nothing.