We seem to hear about new security breaches every week, but there have been two significant updates to previously announced cyber attacks. Do you want the good news or bad news first?
The bad
Yahoo has announced that the number of user accounts affected during its August 2013 data theft, which was disclosed mid-December 2016, is actually much higher than originally estimated. In 2016, the company said approximately one billion accounts had likely been impacted, but new intelligence says this number is now as high as three billion – essentially all of its users and almost half the planet’s population.
It was already dubbed as the largest data breach ever, and this revision only cements Yahoo’s place at the top of an undesirable list.
The hack exposed user account information, such as names, email addresses, passwords, birthdays, phone numbers, and in some cases, encrypted or unencrypted security questions and answers, according to Yahoo’s 2016 memo.
Now, the company is saying that its latest investigation of the breach, which stems from Verizon officially acquiring Yahoo in June 2017, indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information tied to the accounts.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” Chandra McMahon, chief information security officer at Verizon, says in an Oct. 3 press release. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
The good
In slightly better news, Equifax Inc. is revising its estimate of the number of Canadians that may have been affected by the security breach it announced on Sept. 7. Its original figure of 100,000 Canadians has been significantly downsized to 8,000, thanks to an investigation by Mandiant, which has finished its forensic probe.
“The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted,” says an Oct. 2 press release. “In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens.”
Newly appointed interim CEO, Paulino do Rego Barros, Jr., reaffirms that the company’s priorities are “transparency and improving support for consumers,” and adds that she will “continue to monitor [Equifax’s] progress on a daily basis.”
In a previous release, Lisa Nelson, president and general manager at Equifax Canada, apologized to Canadian consumers who may have been impacted
“We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete. Our focus now is on providing impacted consumers with the support they need,” she said on Sept. 19.