On the 3rd of November 2020, a court came up with a decision to approve a class action settlement that will resolve litigation for five Yahoo data breaches from 2012 to 2016.
It affected almost 194 million Yahoo customers.
The settlement amounted to $117.5 million, and a lot of changes would need to happen in the company’s business practices so that the breach will likely not happen again in the future.
What was interesting in the approval order is the court’s need to compare the instant settlement to a different in-district data breach settlement.
Upon reviewing the approval order, it will provide insight into the details the judges will need to judge the settlement to make sure they are reasonable and in the best interest of the class members.
What Does the Credit Monitoring Services Cover?
It alerts people whenever there are changes to their personal details, like getting married or if there have been any new credit inquiries.
If in case someone had to move, or if there is potential fraud involving their personal information, people will surely get an alert making them aware.
Consumers who are affected by the Yahoo! breach will receive almost two years’ worth of credit-monitoring services through AllClear ID.
It will monitor the credit file of the class member at every one of the credit monitoring agencies, will provide up to $1 million of identity theft insurance, and restoring affected class member’s identities.
This service, though, is for the class members who have experienced identity theft or fraud.
They will also help from canceling to replacing affected cards to recover any loss financially.
Class members would need to remember that even if the credit monitoring services included in the Yahoo data breach settlement are better than the free credit monitoring services, it can’t stop identity theft in its tracks or stop scam emails or phone calls.
Yahoo Inc. Customer Data Security Breach in a Nutshell
The Yahoo data security breach was the biggest one on record.
People got wind of two big data breaches of user account data to hackers in the second half of 2016.
They reported the first incident in September. It happened in late 2014, and 500 million Yahoo user accounts were affected.
A separate incident started in August 2013, reported in December 2016, and over 1 billion user accounts were affected.
Yahoo confirmed a different number; later on, affected user accounts actually numbering 3 billion.
Customer information involved in the breach included names, email addresses, phone numbers, birth dates, and even encrypted/unencrypted security questions and their answers.
Yahoo reported in late 2014 that the breach may have likely occurred because of artificial web cookies to falsify login details, which allowed hackers to access any account without the need of a password.
Yahoo was called out because they let the people know of the breach a bit too late.
Along with their established data security measures, they faced several lawsuits and investigations by the US Congress.
The breaches affected Verizon’s July 2016 plans to gain Yahoo for $4.8 billion, and it resulted in a decrease of $350 million in the final price for the deal, which was closed in June 2017.
Comparing the Yahoo Data Breach Settlement Amount To Other Data Breach Settlements
In addition, the court went ahead and reviewed the overall settlement agreement as compared to a prior in-district linked to Anthem Inc’s 2015 medical information data breach.
$117.5 million Yahoo settlement fund for a class of approximately 196 million to Anthem’s $115 million funds for 79 million.
The court saw that Yahoo’s per capita settlement recovery was $0.60, which was smaller than Anthem’s $1.46.
The court also found out that there were factors in the instant case that created the expectation of a larger recovery for the settlement class than in other data breach cases.
Particularly, they zoned in on the fact that Yahoo had multiple data breaches over five years, and every time, denied knowledge it every happened with the Securities and Exchange Commission.
They also delayed letting their users know of the breach so they can protect themselves from what happened.
The court decided that these circumstances weighed in favor of a larger settlement compared to Anthem but acknowledged that the personal details at issue may not have been as sensitive as the details stolen in Anthem.
The court also reported that the Yahoo settlement is favorable compared to Anthem in other factors but was unfavorable in other aspects.
Like how Yahoo gave two years of credit monitoring while Anthem gave six, but Yahoo! capped out-of-pocket expenses at $25,000 while Anthem’s settlement class members were capped at $10,000.
But the court found Yahoo settlement weighted heavily on Anthem’s settlement and decided the settlement is a significant sum and gave adequate recovery to the settlement class.
The court was also satisfied with the non-monetary business practice changes that Yahoo agreed to and implemented to stop any other data breaches.
Data Breach on July 2016
User names and passwords for almost 200 million Yahoo accounts were put on sale on TheRealDeal, a darknet market website.
Peace_of_Mind had the information for a time and began selling it in late 2015.
He was also connected to selling data from other hacks, such as the 2012 LinkedIn hack.
The data he was selling was probably since 2012, and since people believed it may have been included in other data hacks at that time, some still active accounts, they did not have the complete details to log in completely, reflecting their age.
Yahoo assured the public by mentioning they were aware of the situation, telling customers to be cautious, but passwords were never reset at that time.
Data Breach 2014
Yahoo reported that it was a separate breach from the breach that happened in late 2014, and similar details were taken from the late 2014 breach from over 1 billion user accounts.
The company mentioned the breach on the 14th of December 2016 and mandated all users to change passwords and reenter any unencrypted security questions and answers.
In February 2017, Yahoo sent out notifications to specific users, informing them what the hackers used to access the accounts.
It was then the biggest known data security breach.
This particular data breach was known while Yahoo was reviewing data provided to them by law enforcement from an unknown third-party hacker about a month before.
They had identified the method used to take the data from the previous late 2014 hack using fake cookies during this investigation.
Andrew Komarov, Chief Intelligence Officer of the cybersecurity firm InfoArmor, assisted Yahoo and law enforcement in response to the Peace data.
As he was trying to discover the source of Peace’s data, he found evidence of the most recent breach from a dark web seller who was offering over one billion Yahoo accounts for about $300,000 in August 2015.
Two of the buyers were found to be underground spammers, but the third had more specific inquiries.
He asked if there were ten on the list are located in the United States, and if there were foreign government officials on the list and the details that went with those accounts.
Komarov was immediately suspicious, so he studied the list and saw 150,000 were working in the US government and military, and additional accounts linked with the European Union, Canadian, British, and Australian governments.
Komarov immediately notified the people of the breach and worked directly with them.
He knew that key officials’ details are kept as low-key as possible, but they may still open personal accounts that will have information about their professional lives and will still be precious to the right people.
He also knew that Yahoo might not put that much focus on the data, as they have been previously dismissive of InfoArmor’s services, and may not investigate deeply as it may threaten the Verizon buyout.
The data was also used to gain access to other online accounts that the user may have, which meant a much bigger breach.
It might also create phishing attacks that will get user data from unsuspecting people, resulting in more sensitive data being open to malicious purposes.
Hold Security, another cybersecurity firm, found that there are dark web sellers who were still selling the information for over $200,000 as late as October 2016.
What Else To Know About the Data Security Breach Litigation
Come September 2016, Yahoo reported that over 500 million user data had been breached in 2014.
It included details that will be needed to mainly retrieve access to an online account.
A similar incident also happened in August 2013, but over 1 billion user data was stolen.
Experts believed it was the powder keg that may set loose a lot more accounts to be hacked.
After the 2014 breach, attorneys filed a negligence report against Yahoo because they did not do right by their customers as they failed to protect or even inform their customers properly.
The class members were expected to be in the hundreds of millions, as they hailed all over the world.
John Yanchunis and Morgan & Morgan won over four other firms to be named Lead Plaintiff’s Counsel for the case.
What Yahoo! Did Wrong
Yanchunis reported that the Yahoo data breach fiasco as he didn’t think it was that difficult for Yahoo! not to detect the breach for two years.
He thought that the company might have known about the breach in 2014 and did not tell anyone, blatantly disregarding their users’ privacy and breach notification laws.
Along with other states, California has laws that require companies to inform people of data breaches within 30 days of discovering the breach.
After he was named Lead Counsel, Yanchunis mentioned that the case will seek stronger cybersecurity measures from the tech giant to ensure it won’t happen ever again.
People who suffered a financial setback because of the breach will seek damages.
But how did Yanchunis ended up as the Lead Counsel of the case?
Judge Koh used the following criteria to choose who was the best lead counsel.
- Should be knowledgeable and experienced in prosecuting complex litigation, which may include class actions, data breach, and/or privacy cases
- Is willing and able to commit to a time-consuming process
- Can work cooperatively and efficiently with others
- Can access sufficient resources to prosecute litigation in a timely manner
Experience may be the clincher why Yanchunis got the deal, as he handled the Home Depot and Target data breach cases.
Congress Wanted Yahoo! To Shed Light on the Matter
Yahoo set up a congressional staff meeting on the 31st of January 2017, where they were supposed to clear things up with the members of Congress, but Yahoo canceled so last minute on the 28th of January.
It earned them a telling to from Congress.
It also prompted Senators John Thune and Jerry Moran to send a letter to Marissa Mayer, CEO of Yahoo, to demand more details about the data breach. There were a few questions in the letter:
- For Yahoo! to enumerate what they did to identify the problem and if they informed their users accordingly when the 2013 and 2014 data breaches occurred and how many people it affected.
- In relation to the 2013 and 2014 incidents, what are the key details that Yahoo! thinks may have been compromised, and if it involves potentially identifiable information?
- The process Yahoo! has done to identify and resolve potential customer harm linked with the incidents.
- The steps Yahoo! took to resolve the integrity and upgrade its security systems because of the incidents.
- Timeline of the incidents, from when Yahoo! knew the data breaches happened, any investigative steps and efforts to upgrade security, to notifying proper law enforcement agencies and affected users.
Although Mayer was asked to reply no later than the 23rd of February, it is unclear if she complied.
How To Be Protected From Data Breaches
The best way to be protected is to always use a strong and unique password. Online sites nowadays always inform their users to follow the standard:
- To use a password that is within a minimum of 8 and a maximum of 23 alphanumeric characters, give or take
- That it should have lowercase and uppercase letters
- That it needs to have a symbol (there are even specific ones for some online sites)
- That it should not be generic (significant dates, successive numbers, and letters on the keyboard)
There is also a two-factor authentication process where their mobile phone is usually used to verify their details when signing up for an online account.
Filing a Claim
There were two options in filing a claim: file a claim at www.yahoodatabreachsettlement.com or by snail mail.
There is an option at the site to download and print the claim form, so after filling it out, send it with any supporting document.
One can also send by calling 1-844-702-2788 or emailing info@YahooDataBreachsettlement.com.
The address to send it to will be Yahoo! Inc Customer Data Breach Security Litigation, c/o Settlement Administrator, PO Box 1760, Philadelphia, PA 19105-1760.
Last Points To Ponder
Yahoo! clarified that the judicial review, if the class action settlement was reasonable or adequate, will not fall on deaf ears.
It will serve as a fitting reminder that courts will always depend on prior in-district settlements, if there are any, to use as a reference to evaluate, and judges are inclined to approve a settlement if they find that the class members will receive an adequate recovery.
It was founded in January 1994 by Jerry Yang and David Filo. Yahoo! was one of the companies which started the early internet era in the 1990s.
Now, it is owned by Verizon Media, after being acquired in 2017 for $4.48 billion. Its web portal, Yahoo! Search, and related services, including Mail, News, Finance, and Answers.
Editor’s Note on Yahoo Data Breach Settlement:
This article is aimed to inform you of the Yahoo Data Breach Settlement ruled out in 2020.
What are your thoughts on this piece? Are you an eligible consumer for this settlement? Please feel free to send us a message for any queries or a request!
Suggested Article: Facebook BIPA Privacy Class Action.