In House - The FindLaw Corporate Counsel Blog

Judge Greenlights Data-Breach Case

When Verizon bought Yahoo, it had to know that the mega data breach would come back to haunt the company.

Yahoo revealed during the acquisition that hackers got into 1.5 billion email accounts, including user information, passwords and other personal information. It translated into a discount purchase price from $4.83 billion to $4.48 billion -- but who's counting?

Apparently, 1.5 billion Yahoo account holders are counting. They have sued over the data breach, and a judge says they all have a case.

"All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information," Judge Lucy Koh said.

"Future Identify Theft"

The court ruling is a setback for Verizon, which challenged the plaintiffs' standing to sue over the breaches that occurred between 2013 and 2016. Yahoo disclosed them last year, jeopardizing the Verizon acquisition and causing shake-ups in the cybersecurity and legal industries.

Yahoo's general counsel resigned in the aftermath, apparently taking blame for the breadth of the breach. It was the largest data breach ever recorded, according to reports.

"In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool," Yahoo said in a regulatory filing. "The 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident."

The public filing is strong evidence that the company was at least partly liable for the data breach after the first discovery. The judge's ruling further strengthens the plaintiffs' claims for damages.

Personal Information Stolen

After publicly acknowledging the breaches, Yahoo advised users to change their passwords to protect their account information.

However, the company said that customers' "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers" had already been stolen.

In court papers, Yahoo argued that no security system is hack-proof. Plaintiffs' attorney John Yanchunis said the ruling is "a significant victory for consumers."

Related Resources: