Victims Have ‘Standing,’ Which Could Put Lawsuit on Settlement Path
A federal judge in California has ruled that a consolidated class-action lawsuit filed by those affected by three Yahoo data breaches can proceed.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The ruling means Yahoo’s corporate parent, Verizon, will face a suit that could eventually lead a court to attempt to quantify the financial impact of leaked email-related data on victims. Or, Verizon could opt to settle.
With the proliferation of data breaches, the case will be closely watched for the long-term legal and financial implications of breaches.
In a 93-page ruling, Judge Lucy Koh of U.S. District Court for the Northern District of California found on Wednesday that the class-action plaintiffs have standing. Standing is the legal term for articulating harm caused by another party.
Koh writes that she agrees with the plaintiffs’ contentions that they’re at risk of identity theft and a loss of value for their personally identifiable information.
Koh’s ruling cites examples of how plaintiffs are alleging harm. Two plaintiffs – a couple – allege that their credit card information was stolen from their Yahoo email accounts. Unauthorized credit accounts were then opened in their names, and fraudsters racked up $900 in illegitimate charges.
Another plaintiff contends she used her Yahoo email account to manage Social Security disability benefits, which were subsequently stolen.
“The court finds that these allegations are sufficient to allege injury in fact arising from the data breaches,” Koh writes.
Verizon acquired Yahoo, now part of the company’s Oath division, for $4.48 billion in June 2016. The acquisition price was reduced by $350 million due to Yahoo’s breach disclosures, which awkwardly occurred amidst its negotiations with Verizon.
Many breach-related lawsuits come to a halt after not gaining standing. As a result, plaintiffs sometimes turn to consumer statutes, such as the Fair Credit Reporting Act and the Telephone Consumer Protection Act, to show violations of law by a defendant in an attempt to gain statutory damages (see Why So Many Data Breach Lawsuits Fail).
But legal experts have said that if plaintiffs gain standing, it puts a class-action suit on a likely course for settlement (see Yahoo Faces Lawsuits Over Breach).
In Yahoo’s motion to dismiss, filed in May, the company sought to emphasize the extraordinary nature of one of its breaches, which occurred in late 2014.
“This litigation arises out of one of the most organized, sophisticated and relentless criminal attacks in cybercrime history, sponsored by the Russian Federal Security Service,” Yahoo writes in the motion. “This was no ordinary security breach, but a full-fledged, state-sponsored cyber assault designed to evade Yahoo! Inc.’s security measures, avoid Yahoo’s detection systems, and adapt and evolve to meet Yahoo’s security defenses and upgrades.”
In March, the U.S. Department of Justice announced the indictment of two officers with Russia’s Federal Security Service, known as the FSB, and two other men, for that intrusion. The men are accused of gaining access to at least 500 million Yahoo accounts, and copies of the databases were later sold on dark web cybercriminal forums (see Russian Spies, Two Others, Indicted in Yahoo Hack).
One of the accused, Alexsey Belan, is accused of mining Yahoo email accounts for credit card and gift card numbers in order to monetize the data. Belan, who is believed to be living in Russia now, also is accused of minting forged cookies that gave him access to 30 million Yahoo email accounts. Those accounts were then allegedly used for spam.
Yahoo has been heavily criticized for not informing users of the breaches sooner.
The company didn’t disclose the second breach until September 2016, about two years after it occurred. Three months later, in December 2016, it disclosed a first breach that occurred in August 2013 (see Yahoo Breach Alert: 1 Billion Accounts at Risk).
That first breach impacted 1 billion accounts, virtually Yahoo’s entire user base. The attackers had access to email accounts, recovery e-mail addresses, MD5 hashes of passwords, mobile phone numbers and ZIP codes.
The third breach involved forged “cookies,” the small data files stored in web browsers that allow continued access to a service without re-authentication. This breach occurred between 2015 and 2016. Yahoo believed the attackers figured out how to reverse engineer its cookies. And it suspects the attackers responsible for the second breach were behind this one as well.