U.S. District Court Judge Lucy Koh has officially ruled that the victims of the colossal Yahoo data breach will be able to sue the online enterprise, reasoning that consumers would have acted differently if they had been informed of the hacks and the security vulnerabilities earlier.
Verizon Communications, now Yahoo’s parent company, attempted to have the suits brought against them thrown out of court, arguing Yahoo had been targeted by “relentless criminal attacks,” according to Reuters, mitigating their responsibility. Plaintiffs argued that Yahoo knew of the cybersecurity vulnerabilities allowing the breach in 2012, and about a separate hack that took place in 2014. They are suing for negligence and breach of contract, among other charges.
Yahoo originally admitted to a breach of 1 billion of their consumers’ accounts in 2016 during their purchasing negotiations with Verizon; the revelation resulted in a purchase price cut of around $4.5 billion. The hack took place around 2013. In October 2017, the search engine and email provider admitted that all 3 billion accounts had been breached, making it potentially the largest (in number of users affected) data breach of all time. Yahoo was derided for their slow response and disclosure times and for allowing known vulnerabilities to persist. Since the full extent of the data breach was revealed, the plaintiffs against them have tripled their damage claims.
Neither Verizon nor attorneys for the plaintiffs have provided comment to reporters at time of writing. U.S. investigators connected the breach to Russian threat actors, making this another example of a nation-state attack. The U.S. government has made some moves to try to mitigate the effectiveness of foreign hackers, but due to the complex geopolitical situation these hacks touch upon their response and retaliation options are limited. Enterprises should take note that this ruling will most likely set a precedent for consumers suing companies that suffer a data breach.
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020