Yahoo! braces itself for enormous class-action suit over breaches

By now, the advice to the billions of people whose personal and financial information has been compromised by unending data breaches has become pretty standard: change your passwords. Use different ones for every site. Make them strong – long and complicated. Don’t use an easy-to-guess security question. Use two-factor authentication. Monitor your credit cards.

But to those who are among the victims of multiple Yahoo breaches since 2013 – well in excess of 1bn accounts, according to court filings – there’s something new to add to the list: join a class-action lawsuit. You have, as they say in legal proceedings, “standing”.

That is thanks to US District Court Judge Lucy Koh, of the Northern District of California, who last week rejected a motion by Yahoo to throw out a consolidated class-action lawsuit seeking compensation for damages from those breaches, which compromised its customers’ personally identifiable information (PII) and put them at risk of identity theft and other harm.

The 93-page decision is a very big, possibly precedent-setting, deal. As Rebecca Hughes Parker, global editor-in-chief of The Cybersecurity Law Report, put it:

It has been a hurdle for plaintiffs in the past who have tried to argue that risk of future identity theft was sufficient to give them standing under the constitutional requirements of Article III. Even the plaintiffs who did not allege harm from the actual misuse of their information met the standing requirement.

And according to Koh, it is because the risks to the plaintiffs are real, not just theoretical. Among the examples she cited:

  • A couple whose credit card information was stolen and used to make $900 in fraudulent purchases.
  • A man who was unable to file his tax return because a return had already been filed under his Social Security number, which led to numerous fraudulent charges on his credit cards plus $9,000 in college expenses for his daughters who were unable to apply for financial aid on time.
  • A woman who said her compromised email account led to the theft of her Social Security benefits.

Yahoo, in its motion to dismiss, contended that the 2014 breach, in which 500m accounts were compromised, was not due to carelessness or poor security, but because of the sophistication of the attackers.

The motion described it as “one of the most organized, sophisticated and relentless criminal attacks in cybercrime history, sponsored by the Russian Federal Security Service. This was no ordinary security breach, but a full-fledged, state-sponsored cyber assault …”

The source of the attack was confirmed by the US Department of Justice, which announced this past March the indictment of two members of the Russian intelligence agency FSB’s (successor to the KGB) Center for Information Security.

The company also made the standard case against “standing” for the plaintiffs, arguing among other things that they couldn’t prove their damages were “fairly traceable” to the breaches.

It said that while the compromised information included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, it didn’t include credit card data or bank account information, which it said it doesn’t store in its system.

But Judge Koh did not find any of those arguments “persuasive”. She noted that what the plaintiffs argued – that their compromised email accounts provided credit and bank information:

… users used their Yahoo for a variety of personal and financial transactions, and thus that Yahoo email accounts contained, ‘records involving credit cards, retail accounts, banking, account passwords, IRS documents and social security numbers from transactions conducted by email, in addition to other confidential and sensitive information …’

So Yahoo’s customers are not the only ones now at risk. Koh’s ruling puts Verizon, Yahoo’s corporate parent, at significant risk as well. Verizon’s $4.8bn acquisition of Yahoo came at a “discount” of about $350m, due to possible liabilities from the breaches.

But the liabilities could vastly exceed that discount. Verizon’s attorneys don’t even need a calculator to know that if they get hit with damages worth only $10 for each compromised account, that would total more than twice what they paid to acquire Yahoo.

Which is probably why it is widely reported that Koh’s decision puts the suit “on a likely course for settlement”. Naked Security readers may recall that a couple of months ago Anthem, the largest health insurer in the US, agreed to a “record” settlement of $115m over a breach of about 80m patient records. Which is big bucks on one hand. But it would average out to the grand sum of only $1.46 per victim.

Indeed, Verizon is unlikely to want another judge or jury to hear the long recitation of Yahoo security failures cited by Koh, which include waiting years to announce the breaches – it took three years, until September 2016, to acknowledge the first major breach, of 1bn accounts, in 2013. It could put it on the hook for vastly more than $10 per account.

Not to mention that as of this past March, Yahoo was facing 40 class-action lawsuits in connection with the breaches, which means it probably does not want to set a negative precedent with this one.

Other breached companies are surely watching as well. As a post on ISMG put it, “the case will be closely watched for the long-term legal and financial implications of breaches.”