If approved by the U.S. District Court for the Northern District of California, the $117.5 million settlement agreement proposed by Yahoo on Wednesday will establish the largest common fund ever obtained in a data breach case.
In December 2016, Yahoo announced that login information for over 1 billion of its customer accounts had been stolen in August 2013. However, in October 2017, the company disclosed that an investigation by outside forensic experts revealed that all 3 billion accounts existing at the time had been impacted—making it one of the largest data breaches ever. The stolen information included users’ names, e-mail address, telephone numbers, dates of birth, security questions and answers and hashed passwords created using the MD5 algorithm, a process known to be vulnerable to brute force and hash collision attacks.
Victims filed a class action lawsuit alleging that Yahoo did not use appropriate safeguards to protect users’ personal information and deliberately failed to notify users that their personal information had been stolen. The suit also captures two smaller data breaches that occurred in 2014 and 2016. The proposed settlement would fund two years of credit monitoring for all class members and reimbursement for out-of-pocket expenses related to identity theft, lost time, paid user costs and small business costs, as well as attorney’s fees and costs and expenses, service awards for class representatives and notice and administration costs.
Yahoo and plaintiffs initially agreed to a settlement of $50 million, plus attorney’s fees and other expenses, but the proposal was rejected by U.S. District Judge Lucy Koh. In January 2019, Judge Koh ruled that this offer inadequately disclosed the total size of the settlement fund, the scope of non-monetary relief and the size of the settlement class, making it impossible for class members to assess the reasonableness of the offer. The court will hold a hearing on the revised settlement agreement on June 27, 2019.