Story image

Yahoo proposes US$117.5m breach settlement - but will it be enough?

10 Apr 2019

Yahoo might be looking at a payout of US$117.5 million (NZ$174.2 million) to settle two data breaches that affected billions of users worldwide.

The breaches, which occurred between 2013-2015, put personal information of all Yahoo users at risk – to the point where every user was encouraged to change their password.

According to Reuters, the proposed settlement still requires the approval of US judge Lucy Koh.

Koh has been instrumental in the fight between plaintiffs and Yahoo as a result of the breach.

In January, Koh rejected an initial data breach settlement of US$50 million, in addition to two years free credit monitoring for 200 million people (1 billion accounts) located in the United States and Israel.

However, Koh found that the settlement proposal did not include the size of the settlement fund, the costs of credit monitoring, and that how much victims could expect to recover from the breach.

Koh was also damning in her criticism of Yahoo for not taking the issue seriously enough and being too secretive about its plans.

“Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious,” Koh write as part of her decision.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number. Yahoo has not committed to any specific increases in the budget for data security and has made only vague commitments as to specific business practices to improve data security.”

“Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

In September 2017, Yahoo tried in vain to stop affected parties from filing lawsuits related to the breaches. However Judge Lucy Koh overturned Yahoo’s plea to dismiss lawsuits because of ‘vague and unspecified harms’.

However, Koh wrote that “All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information.”

According to security firm High-Tech Bridge’s Ilia Kolochenko, it’s often the attorneys that end up winning.

"On average that is $25 per compromised account, an embarrassingly modest compensation for breach of your privacy and stolen personal data,” says Kolochenko.

“However, it's pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.''

All eyes are now on Koh to decide whether the new $117 million settlement is enough to redeem a badly damaged Yahoo.

Tech Data to distribute Nutanix backup solution in A/NZ
Tech Data will distribute HYCU Data Protection for Nutanix backup and recovery software to their network of partners across Australia and New Zealand.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.