WP29’s open letter to Yahoo to explain mass data breach, involving more than 500 million user accounts

Following the massive Yahoo data leak – which involved over 500 million user accounts being accessed – the EU’s Article 29 Data Protection Working Party (WP29) has put tremendous pressure on the multinational technology company to explain the breach.

This can only be a good thing – these mass data breach organisations need to be held to account, and need to be robustly questioned on how they have managed to allow such breaches to happen!

Letter to Yahoo

On the 27 October, WP29 wrote an open letter to Yahoo’s CEO, Ms Marissa Mayer. The letter detailed the breach that occurred in 2014, and conveyed its (and the general public’s) dismay that they failed to notify users of the hack sooner than they did.

In fact, it was not until September this year that it was made public knowledge. Chief Information Security Officer, Bob Lord, posted it on the social media site Tumblr following internal investigations of the personal data that was stolen, which ended up amounting to more than half a billion users!

Concerns

Firstly, why did Yahoo not seek to notify their customers as soon as they were made aware of the breach? Secondly, the stolen data is thought to include millions of users in the EU, thus breaching EU privacy protections, as well as the UK’s own laws.

As citizens of the UK and the EU (for now) we are protected by data protection regulations, and this cyber-attack goes against our rights to privacy as well as our general data protection rights. As WP29 are equipped and responsible for the protection of European citizens’ data, they’re well within their powers to seek answers from Yahoo.

The letter also puts pressure on Yahoo to make further enquiries and investigations to address all aspects of the breach. They call for Yahoo to notify all affected customers to them to take any action necessary as a result of the data breach.

The WP29 are specifically concerned with:

Investigations from multiple parties?

The WP29 correctly warns that there may be further investigations made by national Data Protection Authorities as well; asking for Yahoo’s full cooperation with the investigations. It’s likely that the independent national authorities will want to understand the full nature of the breach and then make assessments for remedial action, which can vary between EU states.

The WP29 gives their 100% backing of independent national authorities choosing to undertake their own investigations, which might increase pressure for Yahoo to give justifications for their actions. Failing that, citizens of the EU may expect remedial action proportionate to the harm Yahoo has potentially caused.

Surveillance

It is not just the stolen data that is concerning Yahoo at the moment; it is also the fact that Yahoo has recently been slammed for liaising with ‘Governmental bodies’ to undertake surveillance activity. Reportedly, they enabled the U.S. authorities to scan users’ emails in 2015 looking for specific information.

National security appears to be the defence for Yahoo to put forward, and there has always been a delicate balancing act between national security and privacy. However, it does not take away from the fact that Yahoo has breached data protection principles in our view.

Yahoo’s acknowledgement

Thus far, Yahoo has acknowledged the letter that was signed by the Chairwoman of the WP29, and pledged to respond as appropriate. It will be interesting to see what, if any, justifications Yahoo have for allowing the mass surveillance and the lack of data protection which has caused millions to feel way more vulnerable to further breaches.

The 56 Dean Street Clinic Breach – A look back on what happened

“Open data requires the same level of protection as private data” – Sir Tim Berners-Lee warns that not protecting open data could “create chaos”