Story image

US judge squashes Yahoo's attempt to stop data breach lawsuits

05 Sep 2017

Both Yahoo and victims of its multiple data breaches have been granted – and denied – the ability to dismiss lawsuits based on plaintiffs’ Consolidation Class Action Complaint (CCAC) and under US California Unfair Competition Law (UCL).

Judge Lucy Koh delivered the verdict in a 93-page decision in California last week. She said that affected users of the 2013, 2014 and 2015/2016 breaches could claim breach of contract and competition.

“All plaintiffs have alleged a risk of future identity theft, in addition to the loss of value of their personal identification information,” Koh wrote in her decision.

The 2013 breach affected more than one billion user accounts; however Yahoo held off on the news for three years. A second breach happened in 2014, which affected 500 million accounts. In 2016, details emerged of a breach from 2015 that compromised 200 million accounts.

“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account,” Yahoo said in a press release in September 2016.

In May, Yahoo had previously claimed that breach victims did not have enough grounds to sue the company because of ‘vague and unspecified harms’, despite at least 20 lawsuits filed at the end of 2016.

“According to Defendants, named Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of "unspecified information" and emails. Moreover, Defendants argue that Plaintiffs' other allegations of injury are speculative, and that any monetary injuries suffered by Plaintiffs have been reimbursed. Plaintiffs, by contrast, argue that all Plaintiffs have suffered concrete harms from the Data Breaches, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases,” Koh says in her report.

Earlier this year, US police charged two of four Russians, two of whom were from Russia’s Federal Security Service, in connection with the breaches.

At the end of August, defendant Karim Baratov pleaded not guilty to 47 charges, according to media reports. Alexsey Belan, Dmitry Dokuchaev and Igor Sushchin have not been captured.

Amongst the fallout from the breaches, CEO Marissa Meyer resigned and gave employees her annual bonus as compensation from the breaches.

Yahoo was purchased by Verizon last year for an original offer of US$4.8 billion. After news of the breaches surfaced, Verizon slashed its purchase offer to $4.48 billion. The company turned Yahoo’s assets into units called Oath and Altaba.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.