Yahoo Offers $117.5M Settlement in Data Breach Lawsuit | Threatpost

Yahoo is offering to cough up $117.5 million to settle a lawsuit regarding its massive data breaches that compromised the personal information of three billion users.
The new $117.5 million settlement , filed Tuesday in the U.S. District Court in San Jose, comes after the internet company’s first settlement proposal of $50 million was rejected in January. The lawsuit comes on the heels of massive breaches of Yahoo’s systems between 2013 and 2016.
That includes Yahoo’s infamous 2013 breach that is believed to be one of the biggest in history, which resulted in 3 billion accounts becoming compromised. Stolen data included names, email addresses, hashed passwords and more.
In late 2014, the company fell victim to a second breach that compromised 500 million accounts; while it disclosed yet another breach in 2016, confirming that “an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.”
Credit: Statista
In 2017, Yahoo, which is now part of Verizon Communications, was slapped with a class action lawsuit alleging that the company did not disclose the data breaches fast enough.
In January 2019 , a first settlement proposal made by Yahoo was knocked down by U.S. District Court Judge Lucy Koh. The company proposed to pay $50 million and offer two years of free credit monitoring for 200 million people in the  U.S. and Israel.
However, Koh said that that settlement wasn’t sufficient as it didn’t specify how much money victims could expect to recover and didn’t cover attorneys’ fees.
This most recent settlement aims to assuage those concerns by having company paying for two years of free credit monitoring and “alternative compensation” for impacted victims; out-of-pocket expenses related to identifying theft, lost time, paid user costs, small business user costs; attorneys’ fees and more. Koh has yet to make a decision regarding Yahoo’s Tuesday settlement.
In April 2018, Yahoo also agreed to pay a $35 million settlement with the Securities and Exchange Commission (SEC), which alleged that the company “misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”