Story image

Yahoo proposes US$117.5m breach settlement - but will it be enough?

10 Apr 2019

Yahoo might be looking at a payout of US$117.5 million (NZ$174.2 million) to settle two data breaches that affected billions of users worldwide.

The breaches, which occurred between 2013-2015, put personal information of all Yahoo users at risk – to the point where every user was encouraged to change their password.

According to Reuters, the proposed settlement still requires the approval of US judge Lucy Koh.

Koh has been instrumental in the fight between plaintiffs and Yahoo as a result of the breach.

In January, Koh rejected an initial data breach settlement of US$50 million, in addition to two years free credit monitoring for 200 million people (1 billion accounts) located in the United States and Israel.

However, Koh found that the settlement proposal did not include the size of the settlement fund, the costs of credit monitoring, and that how much victims could expect to recover from the breach.

Koh was also damning in her criticism of Yahoo for not taking the issue seriously enough and being too secretive about its plans.

“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh write as part of her decision.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number. Yahoo has not committed to any specific increases in the budget for data security and has made only vague commitments as to specific business practices to improve data security.”

“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

In September 2017, Yahoo tried in vain to stop affected parties from filing lawsuits related to the breaches. However Judge Lucy Koh overturned Yahoo’s plea to dismiss lawsuits because of ‘vague and unspecified harms’.

However, Koh wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information.”

According to security firm High-Tech Bridge’s Ilia Kolochenko, it’s often the attorneys that end up winning.

"On average that is $25 per compromised account, an embarrassingly modest compensation for breach of your privacy and stolen personal data,” says Kolochenko.

“However, it's pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.''

All eyes are now on Koh to decide whether the new $117 million settlement is enough to redeem a badly damaged Yahoo.

What to expect from the Surface Hub 2S
Microsoft has released details about the next iteration of the Surface Hub featuring mobility, reduced weight and a 85in version in the works.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Informatica launches new AI-driven innovations
Informatica announced new features and AI-driven innovations across five key segments.
Hands-on review: The ruggedly tough CAT S61 smartphone
The driveway beckoned me, so I dropped the phone several times.  Back in the study, close examination has failed to reveal a single scratch.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Nutanix introduces new cloud-native solutions for enterprises
Nutanix announced the general availability of its certified Kubernetes solution.
Talend integrates Pipeline Designer with IPaaS offering
Talend has added a web-based graphical designer to its integration platform-as-a-service, Talend Cloud.