sb-eu logo
Story image

US judge squashes Yahoo's attempt to stop data breach lawsuits

05 Sep 2017

Both Yahoo and victims of its multiple data breaches have been granted – and denied – the ability to dismiss lawsuits based on plaintiffs’ Consolidation Class Action Complaint (CCAC) and under US California Unfair Competition Law (UCL).

Judge Lucy Koh delivered the verdict in a 93-page decision in California last week. She said that affected users of the 2013, 2014 and 2015/2016 breaches could claim breach of contract and competition.

“All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information,” Koh wrote in her decision.

The 2013 breach affected more than one billion user accounts; however Yahoo held off on the news for three years. A second breach happened in 2014, which affected 500 million accounts. In 2016, details emerged of a breach from 2015 that compromised 200 million accounts.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account,” Yahoo said in a press release in September 2016.

In May, Yahoo had previously claimed that breach victims did not have enough grounds to sue the company because of ‘vague and unspecified harms’, despite at least 20 lawsuits filed at the end of 2016.

“According to Defendants, named Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of "unspecified information" and emails. Moreover, Defendants argue that Plaintiffs' other allegations of injury are speculative, and that any monetary injuries suffered by Plaintiffs have been reimbursed. Plaintiffs, by contrast, argue that all Plaintiffs have suffered concrete harms from the Data Breaches, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases,” Koh says in her report.

Earlier this year, US police charged two of four Russians, two of whom were from Russia’s Federal Security Service, in connection with the breaches.

At the end of August, defendant Karim Baratov pleaded not guilty to 47 charges, according to media reports. Alexsey Belan, Dmitry Dokuchaev and Igor Sushchin have not been captured.

Amongst the fallout from the breaches, CEO Marissa Meyer resigned and gave employees her annual bonus as compensation from the breaches.

Yahoo was purchased by Verizon last year for an original offer of US$4.8 billion. After news of the breaches surfaced, Verizon slashed its purchase offer to $4.48 billion. The company turned Yahoo’s assets into units called Oath and Altaba.

Story image
Emotet malware is on a rampage after months of silence
CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More