Judge Rules Data Breach Victims Can Sue Yahoo
A U.S. District Judge has made it possible for victims of Yahoo’s three massive data breaches to sue the company for punitive damages.
California Judge Lucy Koh rejected a motion by Verizon—that bought Yahoo’s Internet business last year—to dismiss plaintiffs’ claims of negligence and breach of contract, among others.
Yahoo confirmed a total of three breaches between 2013 and 2016. The 2013 breach affected all three billion Yahoo users, which is triple the one billion originally estimated by Yahoo.
The plaintiffs claim Yahoo waited too long to reveal the breaches, which increased their risk of identity theft and required victims to spend money on credit freezes, credit monitoring and other credit protection services. They also claim Yahoo purposefully veiled the extent of the breaches.
Verizon sought to dismiss the claim for punitive damages, but in her ruling, Judge Koh pointed out that Yahoo had been warned about security issues as early as 2012. In addition, the Judge pointed out that when Bob Lord became CISO of Yahoo in 2015, he identified the “security and endemic culture issues” as a problem with the company. Later, Lord was aware that a foreign actor may have been responsible for the 2014 breach but did not share this with the public.
While it is impossible to guess how much plaintiffs may be awarded in damages if the court ultimately rules in their favor, this lawsuit could prove costly for Verizon with a total of three billion victims.
Yahoo claims they did not discover that all three billion users were affected until after Verizon purchased a portion of their business last year.