Yahoo to pay $50m compensation for data breaches?
| 3.5 billion user accounts breached in two cyber attacks. Update on original story published on June 12.
Yahoo must pay $50 million in damages to data breach victims, as part of a data breach compensation settlement.
The tech giant did not disclose the two breaches, which occurred in 2013 and 2014, until 2016. The first breach affected all 3 billion Yahoo users, while the second affected 500,000 accounts. The company said at the time that the stolen source code allowed attackers to gain access to an account at will, although passwords were encrypted.
ZDNet reported that the second attack was instigated by a ‘state actor’ who stole user credentials. Names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, security questions and answers were exposed.
Financial damages for data breach
Yahoo would pay $25/hour to victims of the data breach under the proposed settlement. Personal damages could include stolen identity or a delayed tax return. Eligible victims can expect payments of up to $125 or $375 each, depending on whether they can provide documentation supporting their losses. Users who pay a subscription for premium accounts can seek a 25 percent refund for the service.
Yahoo was acquired by Verizon in 2016. The original price was approximately $4.8 billion. However, when news of the security lapse broke, Yahoo discounted the deal by $350 million
The sale was concluded in 2017, leading to the resignation of former Yahoo CEO Marissa Mayer. Yahoo’s core Internet assets were then merged with AOL, now a Verizon-owned company, and rebranded as Oath.
According to ZDNet, Yahoo will pay half of the settlement cost, while Altaba will front the rest of the bill. Altaba has already paid a $35 million fine issued by the US Securities and Exchange Commission (SEC) in penance for Yahoo’s failure to disclose the breach to investors in a timely manner.
Victims of the data breach sued Yahoo in a federal court. They claimed the company failed to disclose weaknesses in its email system that were later exploited during the data breach. The breaches occurred in 2013 and 2014, but were not publicly disclosed until 2016.
The court hearing, when the proposal will be considered by a federal court in California, is scheduled for November 29th. The settlement, if approved, could apply to approximately 1 billion users affected by the breach, making it one of the biggest and costliest consumer data breaches in history.
Editor’s comment: Punitive fines and awards of compensation for data breaches are become commonplace. While many firms struggle to comply with strict legislation, certain organisations are contemplating failure for GDPR and other privacy initiatives. Next month we will be examining the possible evidence for such a legal conundrum. Watch this space.