Yahoo Hack Raises ‘Serious Questions’ From EU Privacy Watchdogs

(Bloomberg) -- The hack on Yahoo! Inc. that compromised the personal data of at least 500 million users is raising “serious questions” among European Union privacy regulators.

The “vast number of people affected by this cyber-attack is staggering and demonstrates just how severe the consequences of a security hack can be,” U.K. Information Commissioner Elizabeth Denham said in a statement Friday. Like their U.K. neighbors, Irish data protection regulators said they have asked Yahoo “a number of issues for which we are seeking further information and clarification.”

In a statement Thursday, Yahoo said that the personal information was stolen in an attack on its accounts in late 2014, exposing a wide swath of its roughly 1 billion users. The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, un-encrypted security questions and answers, Yahoo said.

“The U.S. authorities will be looking to track down the hackers, but it is our job to ask serious questions of Yahoo on behalf of British citizens and I am doing that today,” the U.K. privacy regulator said Friday. “We don’t yet know all the details of how this hack happened, but there is a sobering and important message here for companies that acquire and handle personal data.”

Personal information “must be securely protected under lock and key -- and that key must be impossible for hackers to find,” Denham said.

The Irish regulator said it has contacted the U.S. Federal Trade Commission to “coordinate our respective inquiries.” In the meantime, it said users should follow the actions outlined in an extensive guidance by Yahoo.

While European watchdogs’ fining powers remain minimal, in some cases even non-existent, new EU-wide rules will take effect in 2018 that could boost sanctions by any of the bloc’s national regulators to as much as 4 percent of a company’s global annual sales.

Given the scale of the attack, and the time it has taken for it to become public, Yahoo will face a series of investigations, said Johannes Caspar, one of the more outspoken privacy regulators in Germany.

“The whole thing is pretty gruesome,” Caspar said in an e-mail. “Not only the many millions of users that are affected by the hack make you think, but also the late timing by which the whole thing became public.”

Yahoo in Thursday’s statement said it “is notifying potentially affected users and has taken steps to secure their accounts.” It also recommended that users who haven’t changed their password since 2014, do so now.

To contact the reporter on this story: Stephanie Bodoni in Brussels at sbodoni@bloomberg.net. To contact the editors responsible for this story: Anthony Aarons at aaarons@bloomberg.net, Anthony Palazzo