Hack puts 130,000 addresses at risk
Spark says information from 130,000 Xtra email addresses is ‘‘at risk’’ as a result of a massive hack on Yahoo in 2014 that only came to light last week.
Privacy Commissioner John Edwards praised Spark but questioned Yahoo’s response and said the hack showed the need for a New Zealand law to force companies to own up to data breaches.
Yahoo said last week that 500 million email customers had information stolen in the attack which it believed had the backing of a foreign government.
The attack also affected Spark customers as it outsourced its Xtra email service to Yahoo in 2007.
Spark said about 15 per cent of its 825,000 Xtra email addresses were at risk.
The information stolen from Yahoo includes unencrypted questions and answers to security questions that could be used to reset account passwords. These are commonly answers to questions such as a pet’s name or the name of people’s first school or car.
The leak of that information could cause customers’ other online services to be hijacked, in cases where they had supplied the same information.
Spark spokeswoman Michelle Baguley said it would be asking affected customers to immediately change their passwords.
At least the majority of impacted Xtra customers had not had unencrypted security questions and answers stolen, she said.
Yahoo had told Spark it had no evidence that the stolen information had been used to gain unauthorised access to Spark accounts, meaning their actual emails, she said.
Edwards said he was monitoring the Yahoo hack.
He did not believe it was acceptable that security questions and answers were stored unencrypted by Yahoo and he expected that would be an issue privacy investigators in the United States and Ireland would look into.
‘‘Your mother’s maiden name remains your mother’s maiden name – there is nothing you can do to change that. These kinds of ‘prompts’ are not good enough any more I think.’’
Edwards said he was grateful that Spark quickly alerted his office to the breach and immediately began taking action to resolve it.
‘‘The fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification,’’ he said.
The Government signalled in 2012 that it intended to introduce a law that would force companies to promptly disclose serious data breaches but it has not yet been implemented.
Justice Minister Amy Adams said she intended to introduce a new Privacy Bill to Parliament next year.
‘‘With significant information held offshore by companies like Yahoo, new measures will also address privacy concerns about cross-border information flows.’’