Irish DPC mulls probe as Yahoo admits hack of three billion
Irish data protection commissioner, Helen Dixon, is considering a fresh investigation into Yahoo after the company said all three billion of its email accounts were hacked and personal information stolen.
The online firm, recently bought out by Verizon subsidiary Oath, is the subject of a formal review by the data protection office here over a 2014 hack that exposed 500 million of its email accounts to thieves. However, the company now says that a separate 2013 attack, which it had earlier estimated at one billion email accounts, actually affected all three billion of its accounts. The damage to Yahoo account holders includes the theft of names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions.
Ms Dixon's office was notified of the original 2013 breach, but had not launched a specific investigation into that incident. But with the toll rising to three billion victims, the regulatory agency is reconsidering its options. The Irish DPC is the primary data watchdog for Yahoo in Europe because of the company's 300-strong European HQ in Dublin.
"The Data Protection Commissioner was first notified by Yahoo EMEA in December 2016 of the data breach identified as having taken place in 2013," said a DPC spokesman. "The DPC has been notified by Oath (EMEA), formerly Yahoo EMEA, of the further information that has been identified recently, relating to that same data breach incident. We are continuing to examine the facts being made available to us, so that we can determine the next steps."
Under soon-to-introduced EU data law, companies face fines of up to €20m or 4pc of global annual turnover in cases of data mismanagement.