Story image

Yahoo proposes US$117.5m breach settlement - but will it be enough?

10 Apr 2019

Yahoo might be looking at a payout of US$117.5 million (NZ$174.2 million) to settle two data breaches that affected billions of users worldwide.

The breaches, which occurred between 2013-2015, put personal information of all Yahoo users at risk – to the point where every user was encouraged to change their password.

According to Reuters, the proposed settlement still requires the approval of US judge Lucy Koh.

Koh has been instrumental in the fight between plaintiffs and Yahoo as a result of the breach.

In January, Koh rejected an initial data breach settlement of US$50 million, in addition to two years free credit monitoring for 200 million people (1 billion accounts) located in the United States and Israel.

However, Koh found that the settlement proposal did not include the size of the settlement fund, the costs of credit monitoring, and that how much victims could expect to recover from the breach.

Koh was also damning in her criticism of Yahoo for not taking the issue seriously enough and being too secretive about its plans.

“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh write as part of her decision.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number. Yahoo has not committed to any specific increases in the budget for data security and has made only vague commitments as to specific business practices to improve data security.”

“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

In September 2017, Yahoo tried in vain to stop affected parties from filing lawsuits related to the breaches. However Judge Lucy Koh overturned Yahoo’s plea to dismiss lawsuits because of ‘vague and unspecified harms’.

However, Koh wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information.”

According to security firm High-Tech Bridge’s Ilia Kolochenko, it’s often the attorneys that end up winning.

"On average that is $25 per compromised account, an embarrassingly modest compensation for breach of your privacy and stolen personal data,” says Kolochenko.

“However, it's pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.''

All eyes are now on Koh to decide whether the new $117 million settlement is enough to redeem a badly damaged Yahoo.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.
WikiLeaks' Julian Assange arrested in London
There’s little doubt that it’s a day of reckoning for WikiLeaks cofounder Julian Assange today, after his seven-year long protection inside London’s Ecquador Embassy came to an abrupt end.