Your Online Security After The Yahoo Hack

The data breach at Yahoo has left half a billion people around the world in panic about the safety of their online data. But can consumers, especially in Germany and Europe, do anything protect themselves from attacks?

Half a billion Yahoo users received a message this week saying that they may have had their personal information stolen, including user names, email addresses, phone numbers, and dates of birth. While the hack may not have affected more sensitive data such as unprotected passwords, credit card data or bank account information, the leaked data could still allow outsiders to access user accounts.

The data hack at Yahoo, reportedly dating back to 2014, is regarded as one of the biggest of its kind to date. Yahoo said that it assumes it to be "state-sponsored," but why details have only now emerged remains unclear.

"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," Yahoo said in response to the data breach.

The data breach could also have an impact on the impending sale of Yahoo's core business to US telecom Verizon to the tune of nearly $5 billion (4.3 billion euros), which has been in the making for months.

While the company added that its ongoing investigation had found "no evidence that the state-sponsored actor is currently in Yahoo's network," unassuming consumers still feel alarmed and worried about their online data. But can people take precautionary measures to minimize the likelihood of such hacks affecting their lives?

Consumers not at fault

Dirk Hensel from Germany's Federal Commissioner for Data Protection (BfDI) and Freedom of Information underlined that in the case of Yahoo, this was a hack and not any sort of shortcoming on the part of consumers. 

"This is a data security issue and not directly a question of data protection. This was a malicious hacker attack, which could generally be prevented by establishing the right security measures, and not by consumers taking any action in their own right on their online accounts," Hensel told DW.

Although data protection and data security are related to each other, the terms refer to distinct consumer protection issues. Data security deals with safeguarding information shared online, while data protection limits the ways in which companies can use your information and are allowed to retain

Yahoo tried its best to control the damage caused, announcing that massive data hacks were becoming increasingly commonplace, while millions of people around the world raced to change their account passwords. However, this course of action may likely be useless. Germany's Federal Office for Information Security (BSI) agrees that the Yahoo hack could not have been prevented by consumers shifting their behavior.

BSI press representative Tim Griese did, however, stressed the moral responsibility of giant tech firms, pointing out that "millions of consumers had entrusted their data" to the US-based company.

"Consumers have next to no power or protection after they entrust a company with their data if it gets stolen. We summon companies to handle the data that is put in their trust with care, and to make sure their systems are protected," Griese told DW.

Rules and regulations in an age of globalised data

Dirk Hensel added that Germany had no jurisdiction over providers based overseas anyway, drawing the boundary of where consumer protection rights in Germany begin and end.

"Yahoo is a major provider, and therefore will likely ensure that proper security measures are in place simply out of its own self-interest. But, since it is a US-based company, we have no way of knowing what exact security measures they have taken, and whether these are sufficient in our view," Hensel explained, stressing that it was down to the consumer to decide whether they wanted to use US-based services.

"We are certainly working on establishing more transparency with providers based outside of Germany and the EU. There will hopefully be improved frameworks for this in place in the next two years," he added.

The consumer decides

Hensel emphasized that the best thing consumers can do is to always be informed about the products and services they subscribe to online, as more and more providers move to app-based platforms, which often demand even greater control over consumer data.

"With German providers, we get to assess what safety mechanisms they have and whether they are up to scratch. But companies like Yahoo or Google don't fall under German regulation, and so we can't assess them along those same lines," he said.

BSI's Tim Griese added that people should give more thought to whom they may choose to entrust their personal information.

"With regard to passwords, we advise people not to use the same password for different services and also to be more economical with giving out data. Think carefully who you want to share your data with and what data you are willing to share."

Regulations and jurisdictions aside, the question of what rights and protection consumers should be able to rely on remains open, as the world at large is still settling into the digital age.

DW

« New University Graduate Course: Cyber Anti-Terrorism
AI Will Transform Microsoft »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Link11 GmbH

Link11 GmbH

Link11 provides DDoS protection solutions to protect websites and complete server infrastructures from DDoS attacks.

Cyber Security Research Centre - University of Cardiff

Cyber Security Research Centre - University of Cardiff

Cardiff University's Centre for Cyber Security Research is a leading UK academic research unit for cyber security analytics.

Intrasoft International

Intrasoft International

Intrasoft International is a leading European IT Solutions and Services Group offering a full range of IT services including Information Security.

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute is an independent non-governmental organization that focuses on research and analysis of security challenges including defence and cyber security.

Network Box

Network Box

Network Box is one of the world's leading Managed Security Service Providers.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

NetTech

NetTech

NetTech’s Managed CyberSecurity and Compliance/HIPAA services are designed to help your company prevent security breaches and quickly remediate events if they do happen to occur.

Association for Uncrewed Vehicle Systems International (AUVSI)

Association for Uncrewed Vehicle Systems International (AUVSI)

AUVSI is the world's largest nonprofit organization dedicated to the advancement of uncrewed systems and robotics. Focus areas include cyber security for uncrewed systems and robotics.

Esprinet

Esprinet

The Esprinet Group is an enabler of the technology ecosystem: a team of people who promote access to technology through an extensive network of professional resellers.

Actelis Networks

Actelis Networks

Actelis Networks is a market leader in cyber-hardened, rapid deployment networking solutions for wide-area IoT applications.

Aztek

Aztek

Aztek is one of the UK’s leading Managed Service Providers, providing customer-focused IT, Communication and Cyber Security solutions to help transform and grow your business.