Fraud Management & Cybercrime , ID Fraud , Incident & Breach Response

Yahoo Class Action Settlement: A $50 Million-Plus Sting

Victims Would Get Credit Monitoring, Reimbursement for ID Theft
Yahoo Class Action Settlement: A $50 Million-Plus Sting
Yahoo's headquarters in Sunnyvale, Calif., circa 2006. (Photo: Jay Tong via Flickr/CC)

A proposed agreement that would settle a class action suit against Yahoo over record-breaking data breaches could see the company pay as much as $85 million.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

Yahoo, which is now called Altaba and falls under Verizon's Oath division, has agreed to put $50 million in a fund for victims seeking reimbursement of losses specifically linked to the breaches, according to the settlement agreement.

The proposed settlement agreement

The agreement is awaiting final approval by Judge Lucy H. Koh in federal court in San Jose, Calif. A hearing is scheduled for Nov. 29. As is standard in such agreements, Yahoo will not admit to wrongdoing.

Yahoo is also on the hook for a maximum of $35 million in attorneys' fees and up to $2.5 million in other costs and expenses. It also must pay for credit monitoring services for victims, a cost that is separate from the $50 million settlement fund.

Yahoo's first data breach disclosure, in September 2016, came as the company was already battling to revive its relevancy as competitors such as Google and Facebook dominated online advertising and users' eyeballs.

In that month, Yahoo disclosed 500 million accounts had been compromised around December 2014. In December 2016, it announced another breach dating to August 2013 that affected 1 billion accounts. Four men, including two alleged Russian intelligence officers, were indicted in March 2017 for the attack (see Russian Spies, Two Others, Indicted in Yahoo Hack).

Then in October 2017, Yahoo disclosed that the August 2013 breach had actually compromised 3 billion accounts, virtually its entire user base (see Yahoo: 3 Billion Accounts Breached in 2013).

Reimbursement For 'Fairly Traceable' Losses

The settlement fund covers U.S. and Israeli residents and small business account owners that used Yahoo between 2012 and 2016.

Like many data breach settlements, Yahoo has agreed to pay for credit monitoring for victims that make a claim. The credit monitoring service will run for at least two years and be provided by AllClear ID, of Austin, Texas. It is not clear how much offering those services will cost.

Some victims are also eligible for a cash payment as well as reimbursement of out-of-pocket costs related to the breaches.

Payments are capped at $100 per person. If the settlement fund isn't entirely used, the payment could rise to as much as $358.

Out-of-pocket costs can be reimbursed for losses that are related to criminal misuse of the information exposed in the breaches. The exposed data included names, phone numbers, birth dates, security questions and the contents of the email accounts, which could have contained sensitive financial and personal information.

Upon approval by the settlement administrator, those costs can be reimbursed dollar-for-dollar or up to $25,000. The agreements says that the incidents that can be reimbursed have to be "fairly traceable" to the breaches, which will be determined by the settlement administrator.

Linking a breach to an actual identity theft or fraud incidents can be difficult. The sheer number and frequency of breaches has clouded whether one specific breach necessarily led to fraud.

The agreement also says that victims who can document the time they spent trying to remedy an issue related to the breaches can be compensated up to $25 per hour for up to 15 hours. Those who can't provide documentation are capped at up to five hours.

Big Breaches, Big Bills

If approved by the court, the agreement adds to the steep costs shouldered by Yahoo over the incidents.

In April, the U.S. Securities and Exchange Commission fined Yahoo $35 million for failing to promptly notify investors of the December 2014 breach (see SEC Fines Yahoo $35 Million Over 2014 Breach).

That breach was disclosed in September 2016 as Verizon was in talks to acquire Yahoo. As a result of the disclosure - and the unknown costs that may come - the acquisition price was reduced by about $350 million.

The deal was closed in June 2016 for $4.48 billion. As part of the acquisition, Yahoo agreed to pay half of the costs related to government investigations and third-party litigation over its breaches.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.