Spark says 130,000 Xtra mail address at risk after Yahoo hack
Number finally established. Privacy Commissioner says episode shows need for mandatory data breach notification — which is coming in early 2017.
Number finally established. Privacy Commissioner says episode shows need for mandatory data breach notification — which is coming in early 2017.
Spark has finally established how many of its customers were affected by a 2014 hack of Yahoo's servers — or at least how many Xtra Mail addresses: 130,000.
In total Yahoo hosts around 825,000 Xtra Mail accounts on behalf of Spark.
After nine trouble-prone years, Spark is finally moving away from Yahoo. From January, Xtra Mail customers will be transferred to New Zealand company SMX, part-owned by Sam Morgan.
The latest statement from Spark says:
We take this matter very seriously and will be progressively communicating directly with these customers who may have been impacted, from today, and over the course of the next 48 hours. The number of email addresses potentially at risk is 130,000, which is around 15% of the total Xtra email address base.
Spark will be asking these customers to immediately change their passwords (if they haven’t already.)
Yahoo has told Spark it has no evidence that the stolen information has been used to gain unauthorised access to Spark accounts.
That last sentence has to be taken with a grain of salt. The hackers aren't about to telegraph any future attack to the hapless Yahoo.
Privacy Commissioner John Edwards praises Spark for taking quick action, given people often share passwords and security questions between services, and email is often used as a central repository of personal information.
However, he adds there are indications that Yahoo may have sat on the information for months and that "shows why we need mandatory breach notification."
An update to the Privacy Act, that will include mandatory breach notification to customers, is due to be tabled in Parliament early 2017.
Hopefully. Keen NBR readers will be aware that the Privacy Act update has been in the offing since 2012.