WP29’s open letter to Yahoo to explain mass data breach, involving more than 500 million user accounts
data protection

WP29’s open letter to Yahoo to explain mass data breach, involving more than 500 million user accounts

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Following the massive Yahoo data leak – which involved over 500 million user accounts being accessed – the EU’s Article 29 Data Protection Working Party (WP29) has put tremendous pressure on the multinational technology company to explain the breach.

This can only be a good thing – these mass data breach organisations need to be held to account, and need to be robustly questioned on how they have managed to allow such breaches to happen!

Letter to Yahoo

On the 27 October, WP29 wrote an open letter to Yahoo’s CEO, Ms Marissa Mayer. The letter detailed the breach that occurred in 2014, and conveyed its (and the general public’s) dismay that they failed to notify users of the hack sooner than they did.

In fact, it was not until September this year that it was made public knowledge. Chief Information Security Officer, Bob Lord, posted it on the social media site Tumblr following internal investigations of the personal data that was stolen, which ended up amounting to more than half a billion users!


Firstly, why did Yahoo not seek to notify their customers as soon as they were made aware of the breach? Secondly, the stolen data is thought to include millions of users in the EU, thus breaching EU privacy protections, as well as the UK’s own laws.

As citizens of the UK and the EU (for now) we are protected by data protection regulations, and this cyber-attack goes against our rights to privacy as well as our general data protection rights. As WP29 are equipped and responsible for the protection of European citizens’ data, they’re well within their powers to seek answers from Yahoo.

The letter also puts pressure on Yahoo to make further enquiries and investigations to address all aspects of the breach. They call for Yahoo to notify all affected customers to them to take any action necessary as a result of the data breach.

The WP29 are specifically concerned with:

  • The likely consequences of the breach;
  • The breakdown of the number of people affected per European country;
  • The measures that were taken to notify the users;
  • And what Yahoo has done to mitigate the risks following the breach.

Investigations from multiple parties?

The WP29 correctly warns that there may be further investigations made by national Data Protection Authorities as well; asking for Yahoo’s full cooperation with the investigations. It’s likely that the independent national authorities will want to understand the full nature of the breach and then make assessments for remedial action, which can vary between EU states.

The WP29 gives their 100% backing of independent national authorities choosing to undertake their own investigations, which might increase pressure for Yahoo to give justifications for their actions. Failing that, citizens of the EU may expect remedial action proportionate to the harm Yahoo has potentially caused.


It is not just the stolen data that is concerning Yahoo at the moment; it is also the fact that Yahoo has recently been slammed for liaising with ‘Governmental bodies’ to undertake surveillance activity. Reportedly, they enabled the U.S. authorities to scan users’ emails in 2015 looking for specific information.

National security appears to be the defence for Yahoo to put forward, and there has always been a delicate balancing act between national security and privacy. However, it does not take away from the fact that Yahoo has breached data protection principles in our view.

Yahoo’s acknowledgement

Thus far, Yahoo has acknowledged the letter that was signed by the Chairwoman of the WP29, and pledged to respond as appropriate. It will be interesting to see what, if any, justifications Yahoo have for allowing the mass surveillance and the lack of data protection which has caused millions to feel way more vulnerable to further breaches.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon