[BreachExchange] Yahoo Fails to Cooperate with Hack Probe, Says German Cyber Agency

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 11 20:13:14 EDT 2017


Germany’s federal cyber agency said on Thursday that Yahoo Inc. had not
cooperated with its investigation into a series of hacks that compromised
more than one billion of the U.S. company’s email users between 2013 and

Yahoo’s Dublin-based Europe, Middle East and Africa unit “refused to give
the BSI any information and referred all questions to the Irish Data
Protection Commission, without, however, giving it the authority to provide
information to the BSI,” Germany’s BSI computer security agency said.

A BSI spokesman said it decided to go public after Yahoo repeatedly failed
to respond to efforts to look into the data breaches and garner lessons to
prevent similar lapses. BSI also urged internationally active Internet
service providers to work more closely with it when German customers were
affected by cyber attacks and other computer security issues.

Yahoo did not respond to requests for comment, while Ireland’s data
protection agency was not immediately available.

The BSI’s statement comes at a time of heightened German government
concerns about Russian meddling in national elections in September, after
cyber attacks on the French and U.S. presidential elections which have been
linked to Russia.

The U.S. Justice Department in March charged two Russian intelligence
agents and two hackers with masterminding the 2014 theft of 500 million
Yahoo accounts, marking the first time the U.S. government had criminally
charged Russian spies for cyber offenses., while U.S. officials have
charged Russian intelligence agents with involvement in at least one of the
hacks that affected Yahoo.

Moscow has denied any involvement in hacking.

The BSI said it did not yet have any concrete information about the data
breaches because of Yahoo’s lack of cooperation.

“Users should therefore be very careful about which services they want to
use in the future and to whom they entrust their data,” BSI President Arne
Schoenbohm said in a statement.

The BSI chief reiterated his recommendation that German consumers consider
switching to other email service providers, adding that certifications such
as those offered with C5-class cloud service security were valuable for

C5 is a German government scheme to encourage cloud-based internet service
providers to attest they use various safeguards against cyber attacks.

Late last year Yahoo, which has agreed to be acquired by U.S. telecoms
giant Verizon and is set to be merged with AOL to form a new business known
as Oath, revealed a data breach dating back to 2013 of one billion user

The various disclosures led Verizon to cut the amount it was willing to pay
for Yahoo by $350 million on its previously agreed $4.83 billion deal.
Yahoo has said it expects the merger into Verizon to close in June.

BSI said an additional 32 million Yahoo users were affected by cyber
breaches in 2015 and 2016. A spokesman for the agency said he was unaware
of any additional breaches in 2017.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170511/35acd931/attachment.html>

More information about the BreachExchange mailing list