Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts
from the if-you-don't-fix-the-front,-you'll-be-paying-on-the-back-end dept
A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in “unending” efforts to thwart attacks, but apparently it just wasn’t good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.
In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc, which bought Yahoo’s Internet business last June, to dismiss many claims, including for negligence and breach of contract.
Koh dismissed some other claims. She had previously denied Yahoo’s bid to dismiss some unfair competition claims.
Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users’ risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.
Three billion is a lot of potential class-mates, even though many Yahoos users had moved on to more viable/useful services long before the breach began. That being said, password reuse is common. So is the tendency to have the same user name in place across several platforms. And, needless to say, personally identifiable info stays the same, no matter what platform Yahoo’s former users have strayed to.
The complaint — amended again after news broke that Yahoo’s entire user base had been compromised — notes that Yahoo’s “unending” efforts were routinely terrible, if not practically nonexistent. The suit points out multiple Yahoo hosts were compromised in 2008 and 2009. The next year, Google notified Yahoo that its systems were being used to attack Google. And in 2012, Yahoo suffered two breaches, including one stemming from a SQL injection attack that revealed the company unendingly stored passwords in plain text.
A couple of claims have been dismissed but the most damaging — negligence — remains. The plaintiffs so far have presented plenty of evidence that Yahoo handled users’ PII extremely carelessly. From the decision [PDF]:
First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Fifth, Defendants “knew their data security was inadequate” and that “they [did not] have the tools to detect and document intrusions or exfiltration of PII.” “Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs . . . of breaches or security vulnerabilities.” Id. Sixth, and finally, Defendants’ concealment of their knowledge and failure to adequately protect Plaintiffs’ PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA.
Yahoo also has to keep fighting “deceit by concealment” allegations stemming from its delayed reporting of known security breaches.
Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants’ allegedly inadequate security. However, Defendants fail to acknowledge that Defendants’ delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants’ delayed disclosures. Moreover, contrary to Defendants’ suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact—namely, Plaintiffs have already established their “digital identities around Yahoo Mail.” Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they “would have taken measures to protect themselves” if they had been informed beforehand.
In total, Yahoo is still on the hook for 9 of 15 allegations related to the massive security breach. And it has no one to blame but itself if new owner Verizon ends up shelling out for damages. Yahoo’s terrible security had been a problem for a half-decade before the 2013 breach. Three years later, it became clear everything Yahoo had collected on three billion email accounts was now in the hands of other people. This long line of breaches show Yahoo was very interested in increasing its user base, but much less motivated to protect their info.
Filed Under: breach, cybersecurity, email, hack, liability, negligence, security, standing
Companies: verizon, yahoo
Comments on “Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts”
A couple of yahoo accounts I had got the state hackers got you messages, so I closed everything down & moved on.
I’d totally join the class but after the lawyer fees and will be offered will be like a 1 month free trial of Verizon for 10 minutes, 10 texts, 10 MB – Value $5000!
It is a pity that when companies do shitty things like this they never hurt. They knew, they hid it, & kept chugging along.
Re: Re:
All of this was public info before Verizon bought Yahoo. It stalled their deal for a while and they ended up getting a big discount on the purchase price as a result. In theory they already offset the costs of this litigation on the assumption that it would cost $billions. That reduction in purchase price should be considered by the court as an acknowledgement of their fiscal responsibility to the class members.
out_of_the_blue isn't going to like this
we’re waiting…
Re: out_of_the_blue isn't going to like this
Nah, he’ll love this. It’ll go something like:
“See! I told you all this would happen! But no, you damn corporatists wouldn’t listen. Corporations should be shot and made illegal! We also need to get rid of any and all regulations I don’t agree with. I hope you’re happy now you suckers! Meanwhile I’m just sitting here laughing at you all.”
Or something like that. Is it sad that I can accurately predict what he’ll say? Bets on how close I’ll be?
Re: Re: out_of_the_blue isn't going to like this
Yes. It’s sad.
Re: out_of_the_blue isn't going to like this
Well, of course, he’s a very important commenter here in the Techdirt comment section — and his opinion matters hugely to everyone else.
According to the philosophy of commonality and standardization,
the necessity for the total system rationale precludes simplistic determinism. Thus, any associated supporting element affects a significant implementation of the structural design, based on system engineering concepts.
In other words, unavoidable.
Yahoo would be dead if it wasn’t acquired. Kinda sad to see one of the biggest tech companies of yesterday slipping so low. And I’m not even talking about its new owners 😉
Re: Re:
why is it sad, it’s just how it goes.
This is why free-market capitalism should be a strong market force. Yahoo screwed itself and allowed others to take their customers.
$100 per user after legal fees sounds like a decent penalty. It isn’t always trivial to change passwords and monitor activities every time one of these companies ignores basic security protocols.
Wonder if the fine folks at Equifax are paying attention?
Re: Re:
How do you expect to identify all those users with reasonable certainty? Especially when all their passwords and PII are public?
Otherwise, $100 per user is a fine idea!
On the one hand, I sympathize with Yahoo.
On the other – if you can’t keep your user’s (not customers – the ad agencies are the customers) data safe at those numbers then its incumbent on you to either reduce the number of users to a level you can secure and/or let these people know what’s going on and the risks they’re taking.
If I knew Uzbek hackers had access to my Yahoo account I wouldn’t care – all I use it for is commerce spam anyway. There are a lot of people in the same boat – its convenient and we’ve not got anything we’re worried about compromising so we’d keep using the service.
This would never ends. There are a lot of software that can hacked a yahoo password. Just take a look here https://topspying.com/yahoo-password-hack/ for a fresh info!