A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.
Yahoo informed customers in 2016 that its systems had been breached in 2014 by hackers who had managed to access data from at least 500 million accounts. A few months later, the company disclosed a different breach, one that dated back to 2013, and which impacted all of its 3 billion users. Data obtained in the 2014 incident is said to have been used in 2015 and 2016 to illegally access accounts.
Yahoo and Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business, faced several lawsuits brought by investors and users.
Last year, Altaba agreed to pay a $35 million penalty to the SEC for not disclosing the 2014 breach to investors, and a judge approved an $80 million settlement that Altaba agreed to pay for misleading investors about the breaches. A court recently also approved a $29 million settlement over shareholder derivative class actions.
However, the settlement announced by Yahoo last October has been rejected by California judge Lucy Koh. As part of this settlement, the Internet giant agreed to pay $50 million in damages and provide two years of free credit monitoring services to 200 million individuals impacted by the breaches in the US and Israel.
The judge is unhappy with the fact that the settlement seeks to absolve Yahoo for any breaches it may have suffered in 2012 – Yahoo has denied having knowledge of any breaches prior to 2013.
Judge Koh’s decision is also based on what she described as inadequate disclosure of the total size of the settlement fund, which makes it difficult to determine how much each of the victims will receive.
“The proposed notice discloses $50 million to cover out-of-pocket costs, alternative compensation, paid user costs, and small business user costs,” the judge argued in her ruling. “In addition, the proposed notice discloses that class counsel may apply for attorneys’ fees of up to $35 million, costs and expenses of up to $2.5 million, and service awards of up to $7,500 each for settlement class representatives, to be paid separately from the settlement fund. The proposed notice does not disclose the costs of credit monitoring services or costs for class notice and settlement administration, and does not disclose the total size of the settlement fund.”
The judge also did not like the fact that the settlement proposition authorizes up to $35 million for attorneys, separately from the settlement fund. She described the fees as “unreasonably high” and noted that any unawarded attorney fees would be reverted to Yahoo instead of the victims.
The decision is also based on what the judge has described as a “misleading estimate as to the size of the settlement class.” The estimate that 200 million US and Israeli nationals are impacted by the breach is based on a “population study” rather than an actual analysis of accounts. Non-public information provided by Yahoo to the court showed a much smaller number of users eligible to seek compensation, which makes it difficult to assess whether the settlement is fair and reasonable.
The judge also believes that Yahoo’s promises to improve security are vague and do not include any specific information on an increase in budget or number of employees.
Related: Uber Agrees to $148M Settlement With States Over Data Breach
Related: Neiman Marcus Reaches $1.5 Million Data Breach Settlement
Related: Lenovo Pays $7.3 Million to Settle Superfish Adware Lawsuit
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Tags: 
