Yahoo’s proposed data breach settlement rejected by judge

Internet giant Yahoo had drawn up a $50m settlement package for victims of a mass cyber hack, but it was thrown out due to lack of clarity

Yahoo suffered three data breaches since between 2013 and 2016, but the full scale of the hacks was only revealed in July 2016

Yahoo’s proposed compensation package for millions of customers who had their email addresses stolen has been rejected by a US judge.

The internet services provider has been seeking to put an end to action relating to three data breaches it experienced between 2013 and 2016. It had suggested a $50m payout plus two years of free credit monitoring for around 200 million people in the US and Israel who were affected by the breaches. These funds would be paid out to lawyers acting on behalf of the users.

Under the terms of the agreement, lawyers acting on behalf of the plaintiffs could claim up to $35m in fees

The plan, however, was rejected by US District Judge Lucy Koh, who said she could not declare it “fundamentally fair, adequate and reasonable” as it did not clarify exactly how much victims could expect to reclaim.

Under the terms of the agreement, lawyers acting on behalf of the plaintiffs could claim up to $35m in fees, which the court said “may be unreasonably high”. The exact amount that would be paid out to victims, along with the costs of ongoing credit monitoring, was also slated for being too vague.

Yahoo has been criticised for being too slow to disclose data breaches in 2013, 2014 and 2015-16, which resulted in users’ email addresses and other personal information being compromised. The 2013 event allowed hackers to gain access to all three billion Yahoo accounts, while the 2014 attack affected 500 million users. In the most recent breach, plaintiffs are alleging that data collected in the earlier hacks was used to access specific accounts.

The full scale of all breaches was revealed in July 2016, after Yahoo’s internet business was sold to Verizon for $4.48bn. Two Russian intelligence agents and two hackers were charged, with one hacker later pleading guilty to having carried out the cyber attack.

Koh cited this history of secrecy as one of the reasons for rejecting the deal, saying: “Yahoo’s history of non-disclosure and lack of transparency related to the data breaches are egregious.”

“While preliminary approval of the settlement was not granted, we’re confident that we can achieve a viable path forward,” a spokesperson for Verizon told Reuters.

Yahoo must now draw up a new agreement with the plaintiffs to settle the case.