Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts

from the if-you-don't-fix-the-front,-you'll-be-paying-on-the-back-end dept

A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc, which bought Yahoo’s Internet business last June, to dismiss many claims, including for negligence and breach of contract.

Koh dismissed some other claims. She had previously denied Yahoo’s bid to dismiss some unfair competition claims.

Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users’ risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.

Three billion is a lot of potential class-mates, even though many Yahoos users had moved on to more viable/useful services long before the breach began. That being said, password reuse is common. So is the tendency to have the same user name in place across several platforms. And, needless to say, personally identifiable info stays the same, no matter what platform Yahoo's former users have strayed to.

The complaint -- amended again after news broke that Yahoo's entire user base had been compromised -- notes that Yahoo's "unending" efforts were routinely terrible, if not practically nonexistent. The suit points out multiple Yahoo hosts were compromised in 2008 and 2009. The next year, Google notified Yahoo that its systems were being used to attack Google. And in 2012, Yahoo suffered two breaches, including one stemming from a SQL injection attack that revealed the company unendingly stored passwords in plain text.

A couple of claims have been dismissed but the most damaging -- negligence -- remains. The plaintiffs so far have presented plenty of evidence that Yahoo handled users' PII extremely carelessly. From the decision [PDF]:

First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Fifth, Defendants “knew their data security was inadequate” and that “they [did not] have the tools to detect and document intrusions or exfiltration of PII.” “Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs . . . of breaches or security vulnerabilities.” Id. Sixth, and finally, Defendants’ concealment of their knowledge and failure to adequately protect Plaintiffs’ PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA.

Yahoo also has to keep fighting "deceit by concealment" allegations stemming from its delayed reporting of known security breaches.

Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants’ allegedly inadequate security. However, Defendants fail to acknowledge that Defendants’ delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants’ delayed disclosures. Moreover, contrary to Defendants’ suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact—namely, Plaintiffs have already established their “digital identities around Yahoo Mail.” Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they “would have taken measures to protect themselves” if they had been informed beforehand.

In total, Yahoo is still on the hook for 9 of 15 allegations related to the massive security breach. And it has no one to blame but itself if new owner Verizon ends up shelling out for damages. Yahoo's terrible security had been a problem for a half-decade before the 2013 breach. Three years later, it became clear everything Yahoo had collected on three billion email accounts was now in the hands of other people. This long line of breaches show Yahoo was very interested in increasing its user base, but much less motivated to protect their info.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, cybersecurity, email, hack, liability, negligence, security, standing
Companies: verizon, yahoo