European Union regulator will complete the Yahoo email hack investigation in ‘next couple of weeks’

Image Credit: Yahoo

Yahoo’s European regulator said it is preparing to give the U.S. Internet company the results of an investigation into the 2014 theft of data from 500 million users, including any remedial action to avoid a repeat of the breach. Yahoo said in September last year that hackers had stolen the data in 2014, prompting criticism from U.S. politicians into the delay in notifying customers.

Ireland’s Data Protection Commissioner, the lead European regulator on privacy issues for Yahoo because the company’s European headquarters are in Dublin, told Reuters she would issue the report “in the next couple of weeks”. “We are preparing to serve the final report on Yahoo EMEA Ltd and require of them any remedial actions we have identified,” Helen Dixon said in an interview. It will be up to Yahoo whether to make the report public, she said.

A new EU-wide data protection law coming into force in May 2018 allows fines of up to 4 percent of global turnover. Until then, however, the office of the Data Protection Commissioner said it has no administrative capability to fine a company. A spokesman for Yahoo said it has been cooperating with the commissioner’s office on the investigation and will review the findings carefully when they are available.

Reuters

Publish date: April 12, 2017 12:17 pm| Modified date: April 12, 2017 12:17 pm

Yahoo and AOL will merge to form a new company called Oath

Image Credit: Twitter, Tim Armstrong, @timarmstrongaol

AOL and Yahoo will be combined into a unit called Oath after telecom titan Verizon buys the pioneering internet firm, according to a tweet Monday by the AOL chief. Confirmation of a new name for what the world has long known as Yahoo was tweeted from a verified @timarmstrongaol account after reports of the new name leaked in US media reports.

“Billion+ Consumers, 20+ Brands, Unstoppable Team. #TakeTheOath. Summer 2017,” the Twitter post read. A price cut early this year kept Verizon on track to consummate the purchase of Yahoo’s internet business, and share the costs from a pair of epic hacks that threatened to derail the deal.

Yahoo slashed the price of its core internet business by $350 million. Under revised terms of the delayed deal, Verizon’s purchase of Yahoo assets will total $4.48 billion. Yahoo announced in September that hackers in 2014 stole personal data from more than 500 million of its user accounts. And in December it admitted to another cyber attack from 2013 affecting more than a billion users.

The US Justice Department last month charged two Russian intelligence operatives and a pair of hackers over one of the largest cyber attacks in history, which had apparent twin goals of espionage and financial gain. The Kremlin denied any official Russian involvement in cybercrimes after the US indicted two FSB intelligence agents over cyber attacks on Yahoo that compromised 500 million accounts.

Under the terms of the revised acquisition agreement, Yahoo will continue to cover the cost of a US Securities and Exchange Commission (SEC) probe into the breaches as well as shareholder lawsuits. However, other government investigations and third-party litigation related to the hacks will be shared by Verizon and Yahoo.

The deal with Verizon was expected to close by July, and will end Yahoo’s run of more than 20 years as an independent company. Yahoo is selling its main operating business as a way to separate that from its more valuable stake in Chinese internet giant Alibaba, which will become a new entity, to be renamed Altaba, Inc., and will act as an investment company.

Yahoo boasted having more than a billion users monthly in 2016. Yahoo’s most recent earnings report showed the company swung to profit in the final three months of last year, after a massive $4.4 billion loss in the same period of 2015. Yahoo reported a loss of $214 million for 2016 on revenue that inched up to $5.2 billion from $5 billion in 2015.

Yahoo chief Marissa Mayer will quit the company’s board after the merger with Verizon that creates Oath, according to an SEC filing, though she is expected to remain with the core Yahoo business.

AFP

Publish date: April 4, 2017 2:49 pm| Modified date: April 4, 2017 2:49 pm

Yahoo hacks: European Union is not satisfied with US’ explanation regarding Yahoo email scanning orders

Image: Reuters

  12 Jan 2017 , 10:45

The United States has not satisfied the European Union’s concerns about Yahoo’s scanning of all customers’ incoming emails for US intelligence purposes, the bloc’s justice chief told Reuters in an interview.

The European Commission, the EU executive, asked the United States in November for clarifications on the secret court order served to Yahoo as part of its monitoring of a new transatlantic pact facilitating the exchange of personal data by businesses.

To clinch an agreement on the EU-US Privacy Shield, as the data transfer framework is known, Washington pledged not to engage in mass, indiscriminate surveillance.

(Also Read: Yahoo is going to be renamed to Altaba following Verizon acquisition, Marissa Mayer to resign from board)

That allayed Commission concerns for the privacy of Europeans’ data stored on US servers raised by disclosures of intrusive US surveillance programmes in 2013 by former National Security Agency contractor Edward Snowden.

“I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” EU Justice Commissioner Vera Jourova said in the interview.

While Yahoo is not signed up to the Privacy Shield and the scanning took place before the framework existed, the issue is a first test case of how the new system, which underpins $260 billion of trade in digital services, and the US commitments on spying work in practice, an EU official said.

The Privacy Shield allows businesses to seamlessly move Europeans’ personal data across the Atlantic, whether for completing credit card transactions, hotel bookings or analysing browsing habits to serve targeted ads, while complying with strict EU data protection rules.

“I understand that the American side, when it comes to national security issues, cannot be fully concrete,” Jourova said.

(Also Read: Yahoo to be called ‘Altaba’; what’s in a name?)

Nevertheless, she said, she still expects more detailed information on what happened and the reasons for which Yahoo was asked to scan customer emails.

Reuters reported in October that Yahoo scanned all incoming emails for a digital signature linked to a foreign state sponsor of terrorism at the behest of an order from the Foreign Intelligence Surveillance Court.

The Privacy Shield foresees an annual review to ensure the United States is abiding by its commitments and that the framework is effective. The first annual review will take place this summer, under now President-elect Donald Trump.

Jourova said she was not concerned by the incoming Trump administration but that she would closely monitor what he would do with the US government’s presidential policy directive on US surveillance activities and a newly established US ombudsperson office in the State Department to handle complaints from EU citizens about US spying.

“I would expect that Trump’s administration would understand what is good and what is bad for business. This is good for business,” she said, referring to the Privacy Shield.

“We need to see that we can still trust.”

Reuters

US Securities and Exchange Commission may make Yahoo the test case of data breach disclosure rules

#YAHOO

 

 01 Oct 2016 , 11:01

Yahoo’s disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement. Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a “state-sponsored actor.”

The Yahoo hack could become a test case of the SEC’s guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo’s discovery. Yahoo has not specifically addressed when it learned of the 2014 attack. And the vagueness of SEC’s 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said.

The agency has “been looking for the right case to bring forward,” said Olcott. The agency in 2011 told publicly traded companies to report hacking incidents that could have a “material adverse effect on the business” but did not define that. SEC has never acted against a company for failing to disclose a cyber security incident or threat, and it has brought just two enforcement actions against companies for insufficient data protection, an agency spokesman said. Lawyers said this reflected difficulty in determining if breaches were material and many companies’ belief that reporting on cyber threats generally satisfies the disclosure requirement.

Yahoo has not offered a precise timeline about when it was made aware of the breach. On Sept. 9, it said in an SEC filing it did not know of “any incidents of, or third party claims alleging … unauthorized access” of customers’ personal data that could have a material adverse effect on Verizon Communication Inc’s planned $4.8 billion acquisition of Yahoo’s core business. Since then, Yahoo has not clarified if it knew of the attack before that SEC filing. “Our investigation into this matter is ongoing and the issues are complex,” a Yahoo spokesman said last week.

In his letter, Warner asked the SEC to evaluate whether the current disclosure regime was adequate. He cited reports that fewer than 100 of 9,000 public companies disclosed a material data breach since 2010. “I don’t know that we need new rules. But in certain situations, you may need more aggressive enforcement,” said Roberta Karmel, a Brooklyn Law School professor. The SEC in 2014 examined whether cyber disclosure rules needed to be strengthened and imposed new requirements for broker-dealers and investment advisers but not public companies.

‘Punish the victim’

Some policymakers worry rules compelling prompt disclosure of cyber attacks could deter companies from cooperating with authorities.“We cannot blame executives for worrying that what starts today as an honest conversation about a cyber attack could end tomorrow in a ‘punish the victim’ regulatory enforcement action,” Commerce Secretary Penny Pritzker said this week. Congress last year expanded liability protections for companies that share cyber information with the government, and Pritzker urged granting companies temporary immunity during the response to a hack.

Amid SEC inaction, the Federal Trade Commission has brought 60 successful data security cases since 2001 in part, lawyers said, because its authority is clearer than the SEC’s. Those cases have dealt with deceptive statements by companies and security lapses. The FTC is hampered by the lack of a national requirement for companies to notify the public about data breaches. That idea got widespread support after the 2013 hacking of shoppers’ credit card information from Target Corp. But legislation proposed by President Barack Obama in 2015 fizzled.

Reuters

Security analyst says Yahoo!, Dropbox, LinkedIn, Tumblr all popped by same gang Says five-strong 'Group E' may have lifted a billion Yahoo!records, sells to states

30 Sep 2016 at 06:17, Darren Pauli


Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world's biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials.

The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world's largest hacks on "Group E", a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states.

Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches.

The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police.

He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported.

Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker.

It was then sold to a unnamed nation-state actor group.

Komarov's employer InfoArmor says it performed "extensive analysis of collected intelligence" from the Yahoo! hack from different sources to "clarify the motivation and attribution of the key threat actors" concluding "many recent press reports and published articles have significant inaccuracies".

Yahoo! last week pinned the breach on a unnamed state actor but did not say if, as Komarov claims, that the group bought the credentials from Group E which conducted the intrusion.

The company did not respond to a request for comment by the time of publication.


Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov.

Komarov tells The Register Group E, so called after the first letter of its leader's moniker, broke into sites using a variety of attack vectors.

"Web apps vulnerabilities and exploitation, plus network intrusion through infection … [and] direct access to databases and source code," Komarov says.

Sites breached by the five-person Group E hacker outfit. Statistics via Andrew Komarov
Breach companyNumber of recordsYahoo! 500 million (up to 1bn)
Myspace 360 million
LinkedIn 167 million
Vk.com 137 million
Qip.ru 133 million
Badoo 126 million
Dropbox 103 million
Rambler.ru 101 million
Tumblr 50 million
LastFM 43 million
Fling.com 40 million
Mobango.com 6 million
Other combined dumps: 600 million


A second group known as "For Hell" used the same broker to sell stolen databases and masterminded other high profile breaches. Komarov says one member known as ROR[RG}) hacked Ashley Madison, Adult Friend Finder, and the Turkish National Police, while a second team mate known as "arnie" or "darkoverlord" conducted breaches of unnamed health care organisations.

Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites.

He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups.

That broker is claimed by hackers including some speaking to Vulture South to be a part-time scammer for selling bogus credentials, although the claims cannot be verified. Komarov says Tessa88 was at pains to mask the identity of the hacking groups when selling the Yahoo! credentials to the nation-state actors.