Yahoo must face data breach victims litigation: US judge

Technology Reuters

FILE - This Jan. 14, 2015, file photo shows a sign outside Yahoo's headquarters in Sunnyvale, Calif. A new lawsuit accuses Yahoo of turning its back on Chinese dissidents that it promised to help after the company fingered other activists at the ... request of China's government. The allegations are outlined in a lawsuit filed Tuesday, April 11, 2017, in a Washington, D.C., federal court by a group of dissidents who contend Yahoo mismanaged a $17 million fund set up to provide them with financial aid. Yahoo created the fund a decade ago after being skewered in the U.S. Congress for its conduct in China. (AP Photo/Marcio Jose Sanchez, File) (AP)

A U.S. judge said Yahoo must face nationwide litigation brought on behalf of well over 1 billion users who said their personal information was compromised in three massive data breaches.

Continue Reading Below

Wednesday night's decision from U.S. District Judge Lucy Koh in San Jose, California, was a setback for efforts by Verizon Communications Inc, which paid $4.76 billion for Yahoo's Internet business in June, to limit potential liability.

The breaches occurred between 2013 and 2016, but Yahoo was slow to disclose them, waiting more than three years to reveal the first. Revelations about the scope of the cyber attacks prompted Verizon to lower its purchase price for the company.

More on this...

In a 93-page decision, Koh rejected Yahoo's contention that breach victims lacked standing to sue, and said they could pursue some breach of contract and unfair competition claims.

"All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information," the judge wrote.

Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data.

Continue Reading Below

Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge said.

While many claims were dismissed, Koh said the plaintiffs could amend their complaint to address her concerns.

"We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out," John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said in an interview. "It's the biggest data breach in the history of the world."

Verizon spokesman Bob Varettoni said the New York-based company declined to comment on pending litigation.

Yahoo is now part of a Verizon unit called Oath.

In court papers, Yahoo had argued that the breaches were "a triumph of criminal persistence" by a "veritable 'who's who' of cybercriminals," and that no security system is hack-proof.

On March 15, the U.S. Department of Justice charged two officers of the Russian Federal Security Service and two hackers in connection with the second breach in late 2014.

The August 2013 breach affected more than 1 billion accounts, while the 2014 breach affected more than 500 million. A third breach occurred in 2015 and 2016.

The case is In re: Yahoo Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of California, No. 16-md-02752.

(Reporting by Jonathan Stempel in New York; Editing by Bernadette Baum)

What do you think?

Click the button below to comment on this article.