1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

After Yahoo hack, how safe is your data?

Sertan SandersonSeptember 23, 2016

The data breach at Yahoo has left half a billion people around the world in panic about the safety of their online data. But can consumers, especially in Germany and Europe, do anything protect themselves from attacks?

https://p.dw.com/p/1K78B
Yahoo Logo Schriftzug Computer
Image: picture-alliance/dpa/M. Nelson

Half a billion Yahoo users received a message this week saying that they may have had their personal information stolen - including user names, email addresses, phone numbers, and dates of birth. While the hack may not have affected more sensitive data such as unprotected passwords, credit card data or bank account information, the leaked data could still allow outsiders to access user accounts.

The data hack at Yahoo - reportedly dating back to 2014 - is regarded as one of the biggest of its kind to date. Yahoo said that it assumes it to be "state-sponsored," but why details have only now emerged remains unclear.

"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," Yahoo said in response to the data breach.

The data breach could also have an impact on the impending sale of Yahoo's core business to US telecom Verizon to the tune of nearly $5 billion (4.3 billion euros), which has been in the making for months.

While the company added that its ongoing investigation had found "no evidence that the state-sponsored actor is currently in Yahoo's network," unassuming consumers still feel alarmed and worried about their online data.

But can people take precautionary measures to minimize the likelihood of such hacks affecting their lives?

Consumers not at fault

Dirk Hensel from Germany's Federal Commissioner for Data Protection (BfDI) and Freedom of Information underlined that in the case of Yahoo, this was a hack and not any sort of shortcoming on the part of consumers.

"This is a data security issue and not directly a question of data protection. This was a malicious hacker attack, which could generally be prevented by establishing the right security measures, and not by consumers taking any action in their own right on their online accounts," Hensel told DW.

Although data protection and data security are related to each other, the terms refer to distinct consumer protection issues. Data security deals with safeguarding information shared online, while data protection limits the ways in which companies can use your information and are allowed to retain it.

Tim Griese
Tim Griese from Germany's Federal Office for Information Security (BSI) says that choosing online providers is a question of trustImage: Bundesamt für Sicherheit in der Informationstechnik

Yahoo tried its best to control the damage caused, announcing that massive data hacks were becoming increasingly commonplace, while millions of people around the world raced to change their account passwords. However, this course of action may likely be useless. Germany's Federal Office for Information Security (BSI) agrees that the Yahoo hack could not have been prevented by consumers shifting their behavior.

BSI press representative Tim Griese did, however, stressed the moral responsibility of giant tech firms, pointing out that "millions of consumers had entrusted their data" to the US-based company.

"Consumers have next to no power or protection after they entrust a company with their data if it gets stolen. We summon companies to handle the data that is put in their trust with care, and to make sure their systems are protected," Griese told DW.

Rules and regulations in an age of globalized data

Dirk Hensel added that Germany had no jurisdiction over providers based overseas anyway, drawing the boundary of where consumer protection rights in Germany begin and end.

"Yahoo is a major provider, and therefore will likely ensure that proper security measures are in place simply out of its own self-interest. But, since it is a US-based company, we have no way of knowing what exact security measures they have taken, and whether these are sufficient in our view," Hensel explained, stressing that it was down to the consumer to decide whether they wanted to use US-based services.

"We are certainly working on establishing more transparency with providers based outside of Germany and the EU. There will hopefully be improved frameworks for this in place in the next two years," he added.

Screenshot Yahoo Mail
Yahoo sent out messages to millions of users to secure their accounts with new passwords - two years after the hack took placeImage: Yahoo

The consumer decides

Hensel emphasized that the best thing consumers can do is to always be informed about the products and services they subscribe to online, as more and more providers move to app-based platforms, which often demand even greater control over consumer data.

"With German providers, we get to assess what safety mechanisms they have and whether they are up to scratch. But companies like Yahoo or Google don't fall under German regulation, and so we can't assess them along those same lines," he said.

BSI's Tim Griese added that people should give more thought to whom they may choose to entrust their personal information.

"With regard to passwords, we advise people not to use the same password for different services and also to be more economical with giving out data. Think carefully who you want to share your data with and what data you are willing to share."

Regulations and jurisdictions aside, the question of what rights and protection consumers should be able to rely on remains open, as the world at large is still settling into the digital age.