You are using an older browser version. Please use a supported version for the best MSN experience.

Privacy Commissioner looks at Yahoo hack

NZ NewswireNZ Newswire 26/09/2016

New Zealand-based company SMX will be the new manager of its email services from early next year. © Victor J. Blue/Bloomberg New Zealand-based company SMX will be the new manager of its email services from early next year. The privacy watchdog says a cyber attack on 500 million Yahoo accounts which caught out some Kiwi customers shows the need for compulsory reporting laws.

Global internet giant Yahoo earlier last week announced at least 500 million user accounts had been hacked in 2014.

In New Zealand, Spark, formerly Telecom, has run its email system - Xtra Mail - through Yahoo's servers for nine years and has confirmed a small number of 825,000 email users were affected.

On Monday, Privacy Commissioner John Edwards said it was still not clear whether Yahoo had learned about the attack earlier and there were concerns it may have known for months before telling Spark.

"The fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification," he said.

A proposed change to the Privacy Act set to be tabled in parliament in 2017 would make reporting breaches mandatory.

"When agencies lose customer data, they need to help those customers take steps to protect themselves by alerting them as quickly as possible," Mr Edwards said.

"This is particularly true with a breach of this size and with such sensitive information."

He commended Spark for telling customers quickly about the breach.

"Every day counts in a data breach and agencies need greater incentive to take a leaf out of Spark's book."

The revelation came just days after Spark announced it would be ditching Yahoo as the provider of its email service.

New Zealand-based company SMX will be the new manager of its email services from early next year.

The stolen account information may have included names, email addresses, telephone numbers, dates of birth and hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

It did not include unprotected passwords.

image beaconimage beaconimage beacon