Yahoo has reportedly reached a revised settlement with millions of victims whose names, email addresses and other personal data were stolen in the largest data breach ever recorded. The revised settlement, totaling $117.5 million was filed on April 9, 2019 in U.S. District Court in San Jose. U.S. District Judge, Lucy Koh, overseeing the case, had rejected the previous settlement and must approve the revised proposal in order for Yahoo to see a settlement.

In the initial settlement offer, both sides agreed to a settlement of $50 million, plus expenses, including attorney fees, however; Koh rejected this offer in January.

The amended settlement provides the largest common fund ever obtained in a data breach case.

The new settlement of $117.5 Million would pay for the following:

  • At least two years of credit monitoring, open to all Class Members without any cap as to the number of potential claimants, at a cost of $24 million.
  • Notice and administration costs of no more than $6 million.
  • Attorney’s fees of no more than $30 million and costs and expenses of no more than $2.5 million.
  • Service award of between $7,500 and $2,500 per Settlement Class Representative.
  • Alternative compensation of $100 for those individuals already having credit monitoring.
  • Out-of-pocket expenses related to identity theft, lost time, paid user costs, and small business user costs.

The proposed settlement class is to includes all US and Israeli residents and small business with Yahoo accounts at any time between 2012 and 2016. This is an estimated 1 billion accounts and close to 200 million people, between the two countries.

The lawsuit covers 3 data breaches total, one in 2013, and the others in 2014 and 2016, respectively.

Yahoo! Breach Background

Yahoo publicly disclosed the 2013 data breach in October of 2017, identifying that all 3 billion accounts that existed at the time, had been compromised. The information exposed in this breach included user names, email addresses, dates of birth, telephone numbers and in some cases unencrypted security questions. According to yahoo, “an unauthorized party stole data” and “all accounts that existed at the time of August 2013 theft were likely affected.”

First Settlement: Rejected

Judge Lucy Koh said the proposal inadequately disclosed the seize of the settlement fund, the scope of the monetary relief, and the size of the settlement class.

Koh highlighted six key points as to why the proposal was not adequate:The settlement inadequately discloses the release of claims to any unauthorized access of data in 2012.

  • The settlement inadequately discloses the release of claims to any unauthorized access of data in 2012.
  • The release of the 2012 claims is improper.
  • The proposed notice inadequately discloses the size of the settlement fund.
  • The settlement appears likely to result in an improper reverter of attorney’s fees.
  • The settlement inadequately discloses the scope of non-monetary relief.
  • The settlement inadequately discloses the size of the settlement class.

The total size of the settlement fund would have been larger than $50 million due to the fact that the settlement separately would have provided for “attorneys’ fees of up to $35 million, costs and expenses of up to $2.5 million, and service awards of up to $7,500 each for settlement class representatives.” However, it was not clear that all $35 million was required for attorney’s fees. In other words, anything in excess of $35 million, would have gone back to Yahoo, effectively reducing the total amount that yahoo would be required to pay as a result of the settlement.

At the time, Koh also criticized yahoo for failing to commit, in writing, to improvements in its own information security practices, including employee headcount and increases in their security budget.

Revisions: Settlement Pending

In the newly proposed settlement, all unclaimed attorneys’ fees, now capped at $30 million, will remain within the settlement for appropriate dispersal to class members. In addition, Yahoo has also committed to “maintain an information security budget of more than $300 million over the next four years and a data security team headcount of 200; amounts that are at least four times and three times greater, respectively, than Yahoo maintained prior to this case” the memorandum states.

Unchanged from the initial proposed agreement, some individuals may be eligible for cash payments as direct reimbursement for out-of-pocket remediation costs related to the breach. Individuals can claim up to $25,000, however, the costs must be directly traced to one of the three breaches.

For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please contact us for in-depth information on how to prepare your organization.