Commissioner urges Spark to open up about email hack
Privacy Commissioner John Edwards has called on Yahoo and its New Zealand partner Spark to be more forthcoming about how many New Zealanders have been affected by a hacker attack on Yahoo and what was stolen.
In what is believed to be history’s biggest data breach, Yahoo confirmed on Thursday that hackers had infiltrated its system in 2013, putting 1 billion accounts at risk.
Edwards said it was a ‘‘massive breach’’, eclipsing a similar breach in 2014 which targeted 500 million accounts.
In the latest case, telephone numbers, names, email addresses, hashed passwords, dates of birth, and unencrypted and encrypted security questions were among the data stolen.
Yahoo said it had not yet identified the hackers but believed payment card data and bank account information was not stored in the system they accessed.
In a statement, Spark said it was working to determine if any of its 450,000 Xtra email accounts, which is partnered with Yahoo, had been hacked.
But it stressed no security questions and answers had ever been stolen from Yahoo for New Zealand customers.
‘‘We store these here in New Zealand, fully encrypted. The information in question for New Zealand customers is user name and password combinations,’’ a Spark spokeswoman said.
Edwards said a significant number of Kiwis were likely to be affected, some of whom would have used Yahoo independently of Spark.
‘‘I would expect Yahoo to be in touch with those people.’’
It was early days but he also expected Spark and Yahoo to be more forthcoming with details.
The breach ‘‘once again shows the importance and urgency of having a breach notification law’’, which the Government had committed to two years ago but had yet to enact, Edwards said.
Yahoo would probably suffer financially from the disclosure, he added. A drop in share price could also affect its proposed merger with Verizon.