Questions remained to be answered by Yahoo over the company’s data breach

Sign up for the View from Westminster email for expert analysis straight to your inbox

Get our free View from Westminster email

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

The scale of the hack to which tech firm Yahoo admits it has fallen victim is staggering. Half a billion customers appear to have had their personal information compromised – names, email addresses and phone numbers were among the details lifted by the hackers. Passwords were also stolen, albeit in more or less encrypted form. Yet the most astonishing factor in this disturbing case is that the data breach took place nearly two years ago. It has taken until now for Yahoo to uncover the loss and make the facts public.

The most obvious unanswered question for Yahoo is when exactly did it become aware of the problem? It has been suggested that an internal investigation into a different, alleged instance of hacking earlier this summer turned up the breach announced today. If that is the case, the time-lapse between discovery and Yahoo’s public statement is perhaps a few weeks – hardly insignificant. If that is so, it must mean 2014’s breach went undetected for around 18 months. That raises obvious concerns about the firm’s ability to combat those who would target its data security. It doesn’t say much for the credibility of a company that ought reasonably to be regarded as one of the world’s technology giants.

Yahoo claims the hack was the work of a “state-sponsored actor” and has noted that such attacks are “increasingly common across the technology industry” – an attempt to place this particular incident in a wider, shared context. Unnamed intelligence officials in the US have been reported as having identified similarities with previous hacks by Russian state operatives. Yet this conclusion hasn’t satisfied some commentators, who have noted that some of the stolen data seems to have been offered for sale: that would be an unusual move by a state agency.

All in all, Yahoo needs to offer a fuller explanation of when and how the breach took place. The fact that the ink is barely dry on the company’s takeover by Verizon adds a further degree of urgency – regulators will want to know who knew what (if anything) and at what stage during the sale. The longer it takes for Yahoo’s management to provide more information, the worse the situation will be from a public relations point of view.

Customers of Yahoo meanwhile will be less immediately concerned about the way in which news of the hack was revealed than by the practical consequences. They will not only be concerned that their details have been floating around cyberspace for months but also have the tedious task of resetting potentially multiple passwords.

The world has come to rely on the internet more swiftly than could ever have been imagined. Around 45 per cent of the global population uses the net today – up from around 17 per cent just a decade ago. Data security is crucial to that growth, yet in recent times major corporations have shown themselves lacking when it comes to protecting the personal information of customers. Businesses – and governments – must redouble efforts to stop the hackers, whatever the cost.