U.S. Judge allows Yahoo data breach victims to sue

U.S. District Judge, Lucy Koh, has said Yahoo must face huge lawsuits brought against them on behalf of over a billion individuals who had their personal data compromised in the well-reported Yahoo breaches.

Verizon communications acquired Yahoo for $4.76 billion in June in a bid to limit liability, and contended that victims didn’t have any legal standing to sue. Judge Koh rejected this over a 93-page decision and held that victims who had their personal data breached by Yahoo’s apparent multiple failures as a data controller could pursue breach of contract as well as unfair competition.

Recognising the risk of future problems

Koh recognised victims’ allegations that the data breaches have created a risk of “future identity theft, in addition to loss of value of their personal identification information.”

Yahoo suffered three monumental breaches over a couple of years, reportedly affecting over a billion of their users. The first incident was massively criticised for not only Yahoo’s apparent lack of cyberattack prevention and detection, but also for the alleged lack of damage control taken afterwards which may have left them vulnerable to the data breaches that followed.

Due to a distinct lack of cyberattack detection measures, Yahoo reportedly didn’t even realise hundreds of millions of users’ personal data had been stolen until it was alerted to the information being advertised for sale online. During that time, users likely had no idea that their personal information could have been misused.

A delay in reporting the breach

Yahoo appear to have delayed reporting the breach, thus leaving users in the dark when they could have been warned and consequently taken steps immediately to prevent damage, or prevent further damage. Over a billion users reportedly had their personal information and log in credentials stolen, potentially providing cybercriminals with an eye watering volume of personal data to do all sorts with.

Due to Yahoo’s multiple failures, affected users have likely been exposed to the risk of identity theft and other forms of personal data misuse.

Victims to claim financial losses

Koh said that some victims also allege financial losses in setting up additional security measures in order to prevent identity theft and other misuse of their data; a loss that wouldn’t exist but for Yahoo’s failures.

Even if affected users change their password for their Yahoo account, cybercriminals may still try the combination for other accounts.

Another popular method for obtaining more information is to send spam or phishing emails to the stolen email address pretending to be a service linked to Yahoo offering news or relevant advice with links that secretly contain malware. People do easily fall for such scams, meaning even an email address without a password can be a valuable piece of information.

Lawyers acting for victims speak out

John Yanchunis, a lawyer representing victims in the U.S., spoke of the welcomed decision as a:

“…significant victory for consumers, and will address the deficiencies the court pointed out.”

On the other hand, Yahoo tried to defend itself by arguing the breaches were “a triumph of criminal persistence”, and that no security system is hack proof. Yahoo makes a valid point in that no system is completely impenetrable, but the tone of their talk is somewhat offensive to many.