Yahoo Is Finally Paying for the Massive 2012-2016 Data Breach, and You Can Get a Piece of It Too
Far too often, when an online service provider loses your data, you have no hope of receiving any sort of compensation for the damage that's been done to you. In most cases, this sort of thing happens to small companies that, even with the best intentions in the world, simply don't have the resources to reimburse victims for failing to secure their information properly. When one of the online pioneers suffers a data breach, however, the impact is much more serious, and the consequences are much more severe.
As you have probably guessed already, we are talking about Yahoo! and the series of data security incidents it suffered a few years ago. Not surprisingly, shortly after the news broke, a class action lawsuit started against what was once the world's most popular email provider. A couple of weeks ago, almost three years after the lawsuit was filed, law firm Morgan & Morgan announced that a settlement has been reached. Before we look into how it can affect you, however, let's take a closer look at the details.
What was the class action lawsuit about?
It's not about a single data breach. In fact, the court documents quote four separate incidents:
- What is referred to as a "security intrusion" from January through April 2012 during which hackers broke into Yahoo!'s internal systems but didn't steal anything.
- The record-breaking data breach during which cybercriminals made off with the personal information of all 3 billion Yahoo! users.
- Another data breach from November 2014 when hackers stole information (including passwords and security questions and answers) that gave them access to the inboxes, calendars, and contacts of approximately 500 million users.
- An attack from 2015 and 2016 during which hackers used cookies to access the email accounts of around 32 million users.
As you can see, between 2012 and 2016, users were put through quite a lot, and although technically speaking, the hackers were the ones committing the crime, Yahoo! must also share the blame because it's clear that it didn't do enough to secure people's data. That's why, according to the settlement, it'll now, among other things, set up a settlement fund and fill it with $117,500,000.
What will affected users get?
At this point, we should say that not every single user affected by the breach is entitled to claim a part of the settlement. It only concerns people in the United States and Israel, and they have multiple options.
US and Israeli citizens who had Yahoo! accounts at the time of the incidents can opt for a two-year credit-monitoring service which will be provided by AllClear ID and paid for by Yahoo!. If, on the other hand, they have already signed up for a credit monitoring service, they can apply for a cash payment of $100. Those who feel tempted by the second option should consider one or two things, though.
In terms of cash, the settlement won't exceed $117.5 million, which means that people who want a cash payment must share whatever is in the fund. Although only US and Israeli users are entitled to it, in all likelihood, there will be quite a few people willing to get the cash. What's more, users who suffered more significant damages because of the breach (and can prove it) can claim a more substantial cash payment which will also be taken from the settlement fund. If too few people claim cash payments, the compensation could go up to $358, but most experts seem to agree that this is unlikely.
Obviously, there are other options. Users can object to the settlement and attend (and even speak at) the final hearing on April 2, 2020. They can also exclude themselves from the settlement and take Yahoo! to court on their own. The details, along with all the filings and the deadlines, are available at a special website dedicated to the settlement. If you are affected, you can go over all the information and make your choice. While you're doing it, however, think about whether this really is enough as a punishment for Yahoo!.