The Yahoo data breach means “serious questions” must be asked of the internet giant, Information Commissioner Elizabeth Denham has said.
Personal details of around 500 million Yahoo users were compromised in a cyber attack on the firm in 2014, the company confirmed yesterday, and now Ms Denham has said lessons must be learned by those companies that handle personal data.
“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be,” she said.
“The US authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today.
“We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data.
“People’s personal information must be securely protected under lock and key – and that key must be impossible for hackers to find.”
Yahoo confirmed that while most user passwords were encrypted and not visible to hackers, many security questions and answers linked to accounts were. This has led to criticism from analysts over Yahoo’s security set-up and failure to report the breach.
Alex Mathews, from online security firm Positive Technologies, said: “The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers’ haul.
“If the investigation determines that this extremely sensitive information were stored unencrypted, then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.”
Yahoo has urged all users to change their passwords and security questions in wake of the breach, while broadcaster Sky has advised its customers to do the same, as Yahoo provides its email service.
“At Sky, we take the security of our customers’ data and information extremely seriously,” the company wrote on the help page of its website.
“You may have seen that overnight Yahoo! announced that a copy of certain user account information was stolen from its company’s network in late 2014. Yahoo! is the provider of sky.com email accounts.
“If you are a sky.com email holder, in line with the advice provided by Yahoo!, we advise that you change your passwords online and follow good password management practices.”