US judge squashes Yahoo's attempt to stop data breach lawsuits
Both Yahoo and victims of its multiple data breaches have been granted – and denied – the ability to dismiss lawsuits based on plaintiffs' Consolidation Class Action Complaint (CCAC) and under US California Unfair Competition Law (UCL).
Judge Lucy Koh delivered the verdict in a 93-page decision in California last week. She said that affected users of the 2013, 2014 and 2015/2016 breaches could claim breach of contract and competition.
“All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information,” Koh wrote in her decision.
The 2013 breach affected more than one billion user accounts; however Yahoo held off on the news for three years. A second breach happened in 2014, which affected 500 million accounts. In 2016, details emerged of a breach from 2015 that compromised 200 million accounts.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account,” Yahoo said in a press release in September 2016.
In May, Yahoo had previously claimed that breach victims did not have enough grounds to sue the company because of ‘vague and unspecified harms', despite at least 20 lawsuits filed at the end of 2016.
“According to Defendants, named Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of "unspecified information" and emails. Moreover, Defendants argue that Plaintiffs' other allegations of injury are speculative, and that any monetary injuries suffered by Plaintiffs have been reimbursed. Plaintiffs, by contrast, argue that all Plaintiffs have suffered concrete harms from the Data Breaches, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases,” Koh says in her report.
Earlier this year, US police charged two of four Russians, two of whom were from Russia's Federal Security Service, in connection with the breaches.
At the end of August, defendant Karim Baratov pleaded not guilty to 47 charges, according to media reports. Alexsey Belan, Dmitry Dokuchaev and Igor Sushchin have not been captured.
Amongst the fallout from the breaches, CEO Marissa Meyer resigned and gave employees her annual bonus as compensation from the breaches.
Yahoo was purchased by Verizon last year for an original offer of US$4.8 billion. After news of the breaches surfaced, Verizon slashed its purchase offer to $4.48 billion. The company turned Yahoo's assets into units called Oath and Altaba.