Yahoo data breach settlement effort reaches $117.5 million

$50 million was too low for one of the largest data breaches on record.
Written by Charlie Osborne, Contributing Writer

Yahoo has once again attempted to settle a class-action lawsuit involving millions of users following one of the largest data breaches in history with a revised settlement figure of $117.5 million.

On Tuesday, the proposed resolution to the lawsuit was made public. The revised figure of $117.5 million has been made in response to criticism made by US Judge Lucy Koh concerning an earlier figure of $50 million, proposed in October 2018.

See also: Yahoo confirms purchase of stake in cryptocurrency exchange

The judge said the original terms were not "fundamentally fair, adequate, or reasonable." 

Roughly 200 million users are linked to the class-action lawsuit and there appeared to be little true dollar value, and legal fees mentioned in the settlement were considered too costly. The figure was rejected in January.

The data breaches at the heart of the matter took place in 2013 and 2014. The theft of Yahoo source code led to the compromise of all of the tech giant's three billion user accounts in 2013, and if the original security incident -- which permitted attackers to access an account at will -- was not bad enough, the second data breach was conducted by a threat actor who managed to steal information belonging to 500 million accounts a year later.

CNET: Firefox will block sneaky cryptocurrency and tracking software

Names, email addresses, telephone numbers, dates of birth, hashed passwords, and more were exposed.

Koh, and users worldwide, have criticized Yahoo not only for allowing these incidents to take place but for being unreasonably slow in revealing they had taken place. It was not until 2016 that the company admitted to the breaches.

Yahoo, which is now owned by Verizon, has already been fined £250,000 by the UK's Information Commissioner's Office (ICO) on behalf of users in the United Kingdom. Now, the proposed settlement includes at least $55 million for victim expenses, $24 million for credit monitoring, up to $30 million for legal fees, and $8.5 million for other expenses, as reported by Reuters.

The new, revised payout requires approval from the US judge.

TechRepublic: Apple's Face ID: Cheat sheet

Verizon finalized the acquisition of Yahoo in 2017. The telecommunications giant originally agreed to pay $4.83 billion and keep on Yahoo CEO Marissa Mayer. However, after the data breaches were revealed, this figure was revised down to $4.5 million and the former chief executive stepped down.

Verizon has also agreed separately to pour additional funds into Yahoo's security and workforce. 

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage

Editorial standards