Telecom sticks with YahooXtra - two of its harshest critics react

NetSafe CEO Martin Cocker: worried information was stolen in Feb attack

UPDATE: "Telecom was stuck between a rock and a hard place with this," Institute of IT Professionals NZ CEO Paul Matthews told NBR ONLINE.

After a review, Telecom says it will stick with Yahoo (which hosts its Xtra email service in Sydney) despite security problems and a widespread phishing attack in February.

Closing Xtra mail or moving to another provider would have had a majorly disruptive effect on their 400,000 Xtra email users and would be a last resort, the IITP boss notes.

"It's encouraging that Telecom is making changes to its configuration to allow for a more proactive response should a future event occur," Mr Matthews says.

Martin Cocker, head of the part government-funded NetSafe says Telecom is quite right to describes security breaches as being part of the reality of the online world.

"Given that fact, service providers should be ready to respond and assist customers when breaches occur," Mr Cocker says.

"Our criticism of Telecom focused on the delay to, and initial approach to, engagement with customers and stakeholders."

Therefore, NetSafe's interest is not so much in whether Telecom has chosen to stick with Yahoo or not, but whether it has improved its capability to respond to any future breaches, the NetSafe boss says.

"That is something that can not be proven until it is tested."

Mr Matthews strikes a similar note.

"One of the largest criticisms of the initial response was a lack of communication with customers about what was happening and the scale of it. Keeping their customers in the loop would have made a significant difference. Time will tell how this plays out of course."

EARLIER: Telecom has competed its review of the Xtra email service, hosted on its behalf by Yahoo in Sydney.

The review followed a security breach of Yahoo's email servers that saw "phishing" emails sent from some people's accounts, even if they had not even accessed their Xtra email account recently, let alone clicked on a dodgy link).

At the time the security breach was announced, on February 12, Telecom Retail CEO Chris Quin said all options were on the table; a clear hint Yahoo might be dropped.

Yahoo has promised to improved security.

It will also move Telecom to "Yahoo-standardised infrastructure, rather than the bespoke service they provide us with today. We believe this would offer a more robust and flexible platform, with greater redundancy than our current setup, improving the reliability of the service, and reducing the impact of any incident if something does go wrong,” Mr Quin said in a statement this morning.

Meantime, “In the short term, Telecom is working with Yahoo! to implement a much simpler process for alerting customers whose accounts have been compromised and helping them re-secure those accounts.  This will involve automatically directing customers to a webpage that advises them their accounts have been compromised and then steps them through changing their password, and making any necessary changes to their settings," Mr Quin says.

A key problem during the February was that tens of thousand of affected customers did not change their passwords. Telecom had to summarily cancel their existing passwords, then direct them to execute a reset via online or phone. At times Telecom's website was overloaded, and wait times for its call centres stretched to hours.

The mail server security breach, plus a subsequent upsurge in phishing emails, saw around 75,000 of Telecom's broadband customers affected.

Today, Mr Quin said research found customers rated Yahoo Xtra very highly, and favoured keeping the service.

The retail boss notes the service is optional. Around 400,000 choose to use it.

Telecom also asked whether it should offer a web mail service full-stop (the YahooXtra service is a legancy of the time Telecom owned a 49% stake in Yahoo's local subsidiary. It was sold in mid 2011).

Overwhelming, customers said it should, the company said in a statement (below).

There were two narratives on the February "customer impacts" as Telecom has termed them.

Telecom acknowledged there were two separate problems.

The company emphasised the upsurge in phishing email - or messages that encourage people to click on a malicious link. If they click on it, then people in their address book often also get sent phishing emails.

Experts like Institute of IT Professionals NZ CEO Paul Matthews and NetSafe head Martin Cocker emphased the fact there was a direct breach of YahooXtra mail servers, meaning historic emails, and address books, could have been downloaded for use in future attacks (Telecom and Yahoo admitted this was a possibility, but say there is no evidence it occured).

To underline the human error element, Telecom noted its own CEO, Simon Moutter, had foolishly clicked on a phishing link.

To highlight the Yahoo email server breach, NBR channeled Messrs Matthews and Cocker and noted a graphic example of the fact phishing emails weren't just sent from the accounts of people who clicked on rogue links: One NBR reader received an email sent from the account of Capital & Merchant Finance director Neal Nicholls, who has been in jail since August last year with no internet access.

Click to zoom:

7 · Got a question about this story? Leave it in Comments & Questions below.

This article is tagged with the following keywords. Find out more about MyNBR Tags

Post Comment

7 Comments & Questions

Commenter icon key: Subscriber Verified

No job cuts so doesn't meet Telecom's normal strategic thinking.

  • 0
  • 0

This just reinforces the point that if your business needs email, do not under any circumstances use Xtra/Yahoo for it.

The small additional monthly costs of switching to Google apps or Microsoft Office 365 or similar are worth the knowledge that security and reliability of service are taken seriously.

  • 0
  • 0

I agree with the Xtra/Yahoo sentiments however if for business I strongly recommend businesses never use Google Apps or Microsoft Office 365.

My reasons are:

Both Google Apps and 365 have lost peoples data. Recently several NZ businesses lost months worth of email on 365, but you did not read about it in the news. Happens on Google Docs as well.

It would be better to select a sound NZ based email provider that uses a spam filtering service such as SMX email filtering.

Many Cloud services and remote services get hacked on a regular basis e.g. Log Me In and Docusign got hacked in December and again two weeks ago. Hackers got access to confidential data of large numbers of account holders. In some cases Log Me In sessions were hijacked.

Worried about hackers having access to your data? What about Google or their employees?

Google Terms & Conditions (that no-one ever reads) includes:
"Your Content in our Services: When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."

"The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones. This licence continues even if you stop using our Services (for example, for a business listing that you have added to Google Maps)."

If you want roaming access to your business data there are plenty of solutions that you can use in your own business do not involve a hosting company whose policies and attitudes do not closely resemble that of the Borg.

  • 0
  • 0

This has recently been an issue for Google in the USA, wherein educational institutions have said they cannot use Google (but can use Microsoft Office365) because they are not allowed to share their users' confidential details and information.

  • 0
  • 0

Also encourage everyone to create their own email address such as, not use a gmail or yahoo or hotmail one.

  • 0
  • 0

Nothing screams "small time" like a business or business person with email accounts using some ISP or web email provider's domain name (e.g.,,, or, perish the thought, It only costs about $30 per year to get a build in marketing tool, that subtly but substantially increases your business credibility.

  • 0
  • 0

Why anyone would use a cloud based service I do not know. Just buy your own domain name, have it hosted and use an FTP program to access your own web site where you can store your documents.

  • 0
  • 0

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot


Sym Price Change
USD 0.7215 0.0000 0.00%
AUD 0.9353 0.0000 0.00%
EUR 0.5871 0.0000 0.00%
GBP 0.5174 0.0000 0.00%
HKD 5.6597 0.0000 0.00%
JPY 76.4290 0.0000 0.00%


Commodity Price Change Time
Gold Index 1312.3 -2.100 2018-03-16T00:
Oil Brent 66.0 1.090 2018-03-16T00:
Oil Nymex 62.4 1.140 2018-03-16T00:
Silver Index 16.3 -0.150 2018-03-16T00:


Symbol Open High Last %
NASDAQ 7504.4 7514.2 7481.7 0.00%
DJI 24877.3 25031.0 24873.7 0.29%