On Monday night, a US judge rejected Yahoo’s attempt to pay its way out of explaining data breaches. Yahoo had been attempting to settle with victims of several data breaches between 2014 and 2016. The judge rejected the offer because Yahoo would not disclose the exact amount of money going to the victims.
Judge Lucy Koh wrote in her ruling:
“The proposed notice does not disclose the costs of credit monitoring services or costs for class notice and settlement administration, and does not disclose the total size of the settlement fund. Without knowing the total size of the settlement fund, class members cannot assess the reasonableness of the settlement.”
Judge Koh has also ruled over other cases regarding the nefarious actions of tech giants. One recent example is the patent dispute between Samsung and Apple. Koh has also presided over cases about YouTube, Qualcomm, and Tesla.
The Breaches
Yahoo experienced several data breaches between 2013 and 2016. However, it did not disclose these lapses in a timely manner, despite the fact that close to three billion people were affected. Even in a time riddled with data breaches, the Yahoo breaches are the worst ever.
In a list of data breaches by virtue of how wide their scale was, two of the Yahoo breaches stand in first and the third place. The first is the 2013 breach with three billion victims, while the third is the 2014 breach with 500 million victims. (In second place is the recent Marriott breach that leaked data of 500 million guests.) Yahoo also had a third breach in 2015-2016 when hackers who stole data in 2014 used that data to hack more accounts.
The assailants in the Yahoo breaches hacked accounts and personal data. Victims had their email addresses and other personal information stolen.
The fact that Yahoo did not disclose its own lapse in security and further jeopardized its users was a huge blow to its reputation. Yahoo revealed details about the breaches only when it had secured a sellout of its internet business to Verizon. Yahoo sold for 4.5 billion dollars in 2o17.
In the court, the plaintiffs presented evidence of further data breaches Yahoo told no one about. Allegedly, these past data breaches also involved millions of users. The breaches dated as far back as 2008.
The Payout
Yahoo was facing a class action case by millions of users from the US and Israel. Yahoo proposed $50 million to settle the case as well as 2 years of free credit monitoring services to the victims. The American and Israeli victims total about 200 million and Yahoo agreed to provide credit monitoring to all of them.
However, Judge Lucy Koh was concerned about the fact that Yahoo never specified where the $50 million would go. Yahoo also failed to disclose how much it would spend on the credit monitoring services it was providing.
Koh noted that the number of users in the US and Israel was much higher than Yahoo told her about and was further concerned that Yahoo would get off scot-free over the breaches that happened before 2013.
Koh also felt that the 140 lawyers representing the victims might be getting much financial compensation ($35 million dollars).
After the judge rejected the settlement, a Verizon spokesperson said:
“While preliminary approval of the settlement was not granted, we’re confident that we can achieve a viable path forward.”