Story image

Yahoo proposes US$117.5m breach settlement - but will it be enough?

10 Apr 2019

Yahoo might be looking at a payout of US$117.5 million (NZ$174.2 million) to settle two data breaches that affected billions of users worldwide.

The breaches, which occurred between 2013-2015, put personal information of all Yahoo users at risk – to the point where every user was encouraged to change their password.

According to Reuters, the proposed settlement still requires the approval of US judge Lucy Koh.

Koh has been instrumental in the fight between plaintiffs and Yahoo as a result of the breach.

In January, Koh rejected an initial data breach settlement of US$50 million, in addition to two years free credit monitoring for 200 million people (1 billion accounts) located in the United States and Israel.

However, Koh found that the settlement proposal did not include the size of the settlement fund, the costs of credit monitoring, and that how much victims could expect to recover from the breach.

Koh was also damning in her criticism of Yahoo for not taking the issue seriously enough and being too secretive about its plans.

“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh write as part of her decision.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number. Yahoo has not committed to any specific increases in the budget for data security and has made only vague commitments as to specific business practices to improve data security.”

“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

In September 2017, Yahoo tried in vain to stop affected parties from filing lawsuits related to the breaches. However Judge Lucy Koh overturned Yahoo’s plea to dismiss lawsuits because of ‘vague and unspecified harms’.

However, Koh wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information.”

According to security firm High-Tech Bridge’s Ilia Kolochenko, it’s often the attorneys that end up winning.

"On average that is $25 per compromised account, an embarrassingly modest compensation for breach of your privacy and stolen personal data,” says Kolochenko.

“However, it's pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.''

All eyes are now on Koh to decide whether the new $117 million settlement is enough to redeem a badly damaged Yahoo.

Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Hands-on review: The ruggedly tough CAT S61 smartphone
The driveway beckoned me, so I dropped the phone several times.  Back in the study, close examination has failed to reveal a single scratch.
How printing solutions can help save the planet
Y Soft has identified five key ways organisations can become more economical and reduce their environmental impact.
Is NZ’s tech industry starting to mature?
Technology is New Zealand’s fastest growing and third biggest industry.
How Kiwibank aims to enable greater digital inclusion
"Online tools can offer a more convenient and cheaper customer experience, but there can be barriers to usage."
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Inland Revenue to shut down services later this week
“There’s never an ideal time to shut down the tax system but we’re confident the changes will make any inconvenience worthwhile.”
NZ managers prefer intuition to big data, Massey study finds
Many senior managers in New Zealand businesses have an inherent distrust of big data, opting instead to rely on their own intuition.