SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Yahoo proposes US$117.5m breach settlement - but will it be enough?
Wed, 10th Apr 2019
FYI, this story is more than a year old

Yahoo might be looking at a payout of US$117.5 million (NZ$174.2 million) to settle two data breaches that affected billions of users worldwide.

The breaches, which occurred between 2013-2015, put personal information of all Yahoo users at risk – to the point where every user was encouraged to change their password.

According to Reuters, the proposed settlement still requires the approval of US judge Lucy Koh.

Koh has been instrumental in the fight between plaintiffs and Yahoo as a result of the breach.

In January, Koh rejected an initial data breach settlement of US$50 million, in addition to two years free credit monitoring for 200 million people (1 billion accounts) located in the United States and Israel.

However, Koh found that the settlement proposal did not include the size of the settlement fund, the costs of credit monitoring, and that how much victims could expect to recover from the breach.

Koh was also damning in her criticism of Yahoo for not taking the issue seriously enough and being too secretive about its plans.

“Yahoo's history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh write as part of her decision.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number. Yahoo has not committed to any specific increases in the budget for data security and has made only vague commitments as to specific business practices to improve data security.

“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.

In September 2017, Yahoo tried in vain to stop affected parties from filing lawsuits related to the breaches. However Judge Lucy Koh overturned Yahoo's plea to dismiss lawsuits because of ‘vague and unspecified harms'.

However, Koh wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information.

According to security firm High-Tech Bridge's Ilia Kolochenko, it's often the attorneys that end up winning.

"On average that is $25 per compromised account, an embarrassingly modest compensation for breach of your privacy and stolen personal data,” says Kolochenko.

“However, it's pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.''

All eyes are now on Koh to decide whether the new $117 million settlement is enough to redeem a badly damaged Yahoo.