Irish probe into Yahoo hack 'ongoing' as four charged
Irish Data Protection Commissioner Helen Dixon will "continue to examine the facts" in advance of any Irish or European action against Yahoo, as US officials begin prosecuting people over a series of hacking attacks against the tech giant.
Last October, Yahoo disclosed that "at least" 500 million email accounts had been compromised. It blamed "state actors" for the hack, signifying that it could not have prevented the unprecedented attack because the perpetrator may have been activated by a highly-resourced nation state instead of a cybercriminal. As such, the company would not face the same degree of regulatory sanction.
US officials are now planning to unseal charges against four people, including two linked to the Russian intelligence service, according to a person briefed on the matter.
One person was arrested in Canada on Tuesday and was scheduled to appear in court Wednesday for an extradition hearing, according an officer with the court in Hamilton, near Toronto.
"The DPC's investigation into the incident that was reported to us last September is ongoing," said a spokeswoman for the Irish Data Protection Commissioner's office. "We are continuing to examine the information as it is provided to us by Yahoo EMEA, as part of that investigation. The DPC was notified of the further breach incidents in December and we are continuing to examine the facts that are being made available to us on those incidents, so that we can determine next steps."
Yahoo has been afflicted by two major breaches in recent years.
The company said in December that, in 2013, cyber-thieves siphoned information including users' email addresses, scrambled account passwords and dates of birth. The stolen data could allow criminals to go after more sensitive personal information elsewhere online.
From next year, European regulations provide that companies which fail to protect their users' personal data could be fined up to 4pc of annual turnover.
At present, there is no similar sanction for companies held to account by the Irish data protection regulator.
While the Irish watchdog may be close to concluding its investigation into the issue, agency policy is that details and audit reports are not published other than in circumstances where the company being probed decides itself to publish details.
Further allegations emerged in December about Yahoo co-operating with US authorities which wanted to gather information from Yahoo users' emails. Reuters reported that Yahoo secretly built a custom software program to search all of its customers' incoming emails for specific information provided by US intelligence officials. The report claimed that hundreds of millions of Yahoo Mail accounts were scanned at the behest of the American National Security Agency or FBI.
In December, the Irish DPC issued a statement promising an investigation of the issue.
"Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern by this office," said a spokeswoman at the time.
However, there has been little progress on this issue.
"The DPC will not be issuing any statements regarding our assessment of the alleged scanning of Yahoo users' emails," said a spokeswoman.
The European Commission is understood to be looking into the matter.
If reports that Yahoo co-operated in an email-snooping exercise at the behest of US spy authorities are substantiated, the company is facing serious repercussions in Ireland and Europe. Both the Irish data protection commissioner and EU courts have made clear that mass surveillance by US authorities on European personal data could carry penalties up to and including a block on data transfers into the US.
The Yahoo hacks recently led to management changes at the web company, which employs over 200 people in Dublin.
The firm's general counsel, Ronald Bell, left the web portal after the company found its legal team had had enough information about the security breaches to warrant further inquiry, but didn't sufficiently pursue it.
Ceo Marissa Mayer didn't receive a cash bonus last year and is to be replaced as ceo of Alibaba. However, Ms Mayer will receive a $23m (€21.6m) severance package and has $69m (€65m) of Yahoo stock options waiting to be exercised. Ms Mayer already owns $97m (€91m) in Yahoo shares.
The breaches have resulted in millions of dollars in legal and investigative costs, according to company filings, and spurred more than 40 lawsuits.
Yahoo also continues to work with the US Securities and Exchange Commission, Federal Trade Commission and other authorities on related inquiries.
The security breach, which happened years earlier, was revealed almost five months after Verizon's initial offer in July to acquire Yahoo's key internet assets including its finance, sports and other websites. Verizon then insisted on a better deal and ultimately, trimmed its offer price by $350m (€329m) to $4.48bn (€4.22bn) .
Under current Irish law, companies rarely receive punishment for data breaches, garnering written admonishments and enforcement notices instead.
The Irish data protection commissioner is Yahoo's principal governing regulator in Europe.
On Wednesday evening, the US Justice Department was due to hold a press conference in Washington DC outlining more details about the arrests and the ongoing investigation into the Yahoo breaches.
(Additional reporting, Bloomberg)