The judgment in the Northern Californian court on 30 August 2017, was made in respect of three data breaches of Yahoo’s data security system which resulted in millions of users’ data being exposed to hackers.
Claimants can pursue breach of contract and unfair competition claims with the classes of claimants including a US citizen class, Israel citizen class, Australia, Venezuela & Spain citizens’ class, and a Small Business Users class. Each of these classes consists of all Yahoo account holders whose data protection was breached.
Many of Yahoo’s users suffered financial injury as they fell victim to identity and credit frauds, plus theft of funds. These attacks impacted Yahoo users across an international scale, as indicated by the global classes of claimants.
The breaches in data security occurred in 2013 and 2014, with a third attack in 2015/16. The breach in 2013 occurred when hackers gained access to more than one billion Yahoo accounts, resulting in the theft of sensitive personal information. This breach was not disclosed by Yahoo until December 2016. In 2014 hackers gained access to approximately 500 million Yahoo user accounts, resulting in similar damage to users; this breach was not disclosed by Yahoo until September 2016. The third data protection breach occurred across 2015 and 2016 when hackers imitated Yahoo’s cookies, allowing hackers to access users’ accounts without the need for a password and then maintain access to accounts over a long period of time.
Importantly, the Judge noted that Yahoo’s delay in notifying users of the breaches prevented them from taking measures, such as changing their passwords, to protect their accounts. The claimants allege that as a consequence they are now at risk of future identity theft, alongside the damage already experienced.
Yahoo has doubtless already suffered reputational damage regarding both its security levels and its openness with users. As the Judge has allowed the claims to progress, this is unlikely to be the only consequence they will face as claimants seek compensation for their loss. This case will be interesting to follow as it may create a backdrop for litigation in other jurisdictions, such as the UK, as investigations into the data breaches have since confirmed that all three billion of Yahoo’s users were in fact affected, in what has now been labelled the largest data breach in recorded history.
Had the General Data Protection Regulations (GDPR) already been in force, Yahoo would have violated serious obligations, including notification to customers of a data protection breach within 72 hours. Although the GDPR is not retrospective, it would have cost Yahoo 4% of its global group revenue or £20 million, whichever is greater, in respect of its users domiciled in Europe.