In 2017, Yahoo announced a data breach affected 3 billion of its global users. Predictably, the social media company’s disclosure didn’t sit right with those who had their personally identifiable information (PII) exposed and a class-action suit was filed. Earlier this month, the Silicon Valley firm and its aggrieved users agreed on a settlement amount of $117.5 million.
Notably, this is not the first time the two litigants have found common ground in the high-profile data security case. In January, U.S. District Judge Lucy Koh rejected a $50 million settlement proposal on the grounds that it wasn’t fair to the plaintiffs. Judge Koh specifically took issue with the fact that the settlement earmarked $35 million for attorneys’ fees.
If approved, Yahoo’s $117.5 million payout will be the largest common fund data breach settlement in history.
Yahoo History of Data Breaches
Yahoo is actually attempting to settle claims related to two different data breaches with its proposed settlement. In 2016, Yahoo told the public that hackers only accessed one billion user accounts in the 2013 breach. However, the firm revised that number up to three billion in 2017. Cybersecurity experts have called the Yahoo hack one of the largest in history.
The firm suffered another unrelated breach in 2014 that affected some 500 million users.
The media, government, and industry analysts have criticized Yahoo for its handling of the record data breach. The corporation also received blowback for utilizing MD5 cryptographic hashing to protect its users’ PII. Because the organization didn’t utilize more robust cybersecurity measures, hackers accessed the phone numbers, email addresses, and date of birth data of millions of people.
The Big Tech company has also faced scrutiny for waiting years to publicize its exploited system vulnerabilities. Indeed, the Securities Exchange Commission fined Yahoo’s then-parent company Alibaba $35 million for not dragging their feet on disclosing the hack.
In addition to the $117.5 million settlement, the corporation has also pledged to spend $300 million to bolster its cybersecurity.
Big Breaches Mean Big Payouts
As technology advances, more and more people are entrusting their PII to companies to utilize their services. Unfortunately, corporations are not dedicating the resources to ensuring they have robust cybersecurity. As such, it’s becoming unsettlingly common for large firms to disclose breaches that effect tens, if not hundreds of millions of people.
Late last year, two class-action suits seeking a total of $12.5 billion were filed against Marriott for exposing the PII of 500 million customers. Similarly, lawyers are currently preparing a class-action suit against Equifax for failing to protect 145 million people from having their information exposed.
Other notable corporations have recently experienced cybersecurity failures that might result in more class-action lawsuits.
In 2018, hackers subverted Caribou Coffee’s point-of-sale systems and accessed the credit card information of between 265 to 400 million people. Earlier this year, the corporation that owns Buca di Beppo and Planet Hollywood disclosed that it sustained a data breach involves the theft of payment card data belonging to 2 million people.
If the U.S. District Court approves the Yahoo data breach settlement, a new legal precedent for will be set. Accordingly, users who had their data insecurely stored by corporations might feel emboldened to seek larger payouts. With judges citing with people over corporations, companies now have more incentive than ever to take data security seriously.