Judge Allows Much Of Yahoo Breach Suit To Go Forward

A U.S. district court in San Jose, California, ruled late last week that most of a lawsuit concerning Yahoo’s data breach, which exposed 3 billion users’ personal data, can proceed.

According to news from Reuters, U.S. District Judge Lucy Koh dismissed an effort by Yahoo parent company Verizon Communications Inc. to get the claims tossed out, including allegations of negligence and breach of contract. The judge, according to Reuters, previously denied a bid by Yahoo to dismiss claims of unfair competition.

Following the incident, Yahoo faced criticism that it was too slow to alert customers to the breach in data privacy that spanned three years, from 2013 to 2016. By not disclosing the fissure in its cybersecurity defenses sooner, the company increased the risk of identity theft for those who were impacted — not to mention the countless customers who had to freeze their credit and spend money on monitoring and protection services.

The complaint on the part of Yahoo customers was amended in October after Yahoo disclosed the data breach impacted 3 billion users, triple its previous estimate. The amended complaint, said the judge according to Reuters, shows how important a role security plays in a customer’s decision to use Yahoo.

“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” Koh wrote, according to Reuters. The judge also ruled the plaintiffs can attempt to show that liability limits in the terms of service at Yahoo were “unconscionable,” given allegations that Yahoo knew there were security shortcomings but didn’t do much to address them.

Back in Oct. 2017, Yahoo announced its 2013 security breach exposed all 3 billion of its users. According to news from Bloomberg Technology at the time, Yahoo obtained the new information after Verizon acquired it for $4.5 billion. Initially, Yahoo only revealed that 1 billion accounts had been compromised. The stolen information didn’t include passwords in clear text, payment data or bank account information.