Cybercrime , Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP)
Yahoo's Mega-Breaches: Altaba Moves to Settle Lawsuits$47 Million Settlement Agreement to be Submitted to Court in Next 45 Days
Lawsuits sparked by massive data breaches at Yahoo - and the company's failure to report those breaches to investors in a timely manner - may nearly be resolved.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
So says Altaba, the publicly traded investment company - Nasdaq ticker symbol: AABA - that is all that is left of Yahoo as a stand-alone entity after Yahoo's operating businesses were sold on June 16, 2017, for $4.48 billion to Verizon, which made them part of its OAuth group (see Marissa Mayer Bids Adieu to Yahoo).
Under the terms of the deal with Verizon, Yahoo - now Altaba - agreed to shoulder half of the costs related to government investigations and third-party litigation over its breaches. Altaba also bears full liability for any shareholder lawsuits and U.S. Securities and Exchange Commission settlements.
On Monday, Altaba updated investors about the status of the still-pending lawsuits filed after Yahoo reported two massive data breaches.
"We have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach," a letter to shareholders from Altaba reads. We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases.
"Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach."
Altaba already agreed in April to a pay a $35 million civil fine to the SEC to settle accusations that it failed to promptly notify investors about a December 2014 data breach.
Class Action Lawsuit Nears Settlement
The consumer class action lawsuits filed against Yahoo over its data breach are being heard by Judge Lucy Koh of the U.S. District Court for the Northern District of California in San Francisco.
In March, Koh rejected a motion by Verizon to dismiss a class action lawsuit brought by victims of Yahoo data breaches. The breaches appear to have compromised every Yahoo user's personal details at least once (see Federal Judge: Yahoo Breach Victims Can Sue).
A notice of settlement filed with the court Friday notes that on Sept. 7, all parties engaged in two data breach class action lawsuits against Yahoo had met with Altaba representatives for two days of mediation before Daniel Weinstein, a retired California judge who co-founded the JAMS mediation and arbitration service.
The defendants are listed as being Yahoo as well as Aabaco Small Business, formerly known as Yahoo Small Business Directory.
"Plaintiffs and defendants in both actions have reached an agreement in principle to resolve all pending claims in both actions," according to the notice of settlement. "The parties presently are finalizing terms, which they plan to reduce to a definitive agreement that ultimately will be presented for this court's approval within 45 days."
In the interim, the plaintiffs and defendants say they have requested "the parties to this action jointly and respectfully request the court stay this litigation in its entirety to allow the parties to focus their efforts entirely on finalizing the settlement and to avoid any unnecessary waste of judicial resources," their filing reads.
On Sept. 5, plaintiffs in the case noted in a court filing that in August they had deposed former Yahoo CIO Jay Rossiter on Aug. 16, and they were planning to depose Yahoo's former general counsel Ron Bell on Sept. 12, although Bell's attorney subsequently sought to delay his deposition until October or November, which the court rejected. Plaintiffs also reported that some of the 35 documents they had requested in connection with Bell's deposition were being withheld by Yahoo on attorney-client privilege grounds.
Plaintiffs on Sept. 5 also noted that Yahoo's former president and CEO, Marissa Mayer, was to be deposed on Oct. 9, but alluded to similar difficulties in obtaining required documentation. "Coordination of these depositions has been taken in conjunction with counsel in the parallel state court action and counsel for the individual witnesses," the joint case management conference statement.
"Plaintiffs are in the midst of negotiations with Ms. Mayer's counsel regarding the scope and process for her document production, which issues have previously been the subject of dispute," according to the statement made to the court. "While always hopeful of amicable resolution, plaintiffs believe further judicial involvement may be required."
Why Breached Businesses Settle
Verizon in August 2017 had sought to dismiss the complaint, which Judge Koh rejected, allowing the case to move forward. On the upside for the defendants, however, Koh denied several claims by the plaintiffs that Verizon had challenged, including deceit by concealment, negligence and breach of contract.
The vast majority of U.S. consumers' class action lawsuits filed over data breaches fail, legal experts say, owing to judges typically ruling that the "plaintiffs bar" - the group of attorneys representing plaintiffs - failed to prove that victims suffered an actual or threatened injury, under what's known as Article III standing (see British Airways Faces Class Action Lawsuit Over Data Breach).
When judges do allow such cases to proceed, defendants typically settle, rather than risk creating a disadvantageous precedent, legal experts say (see Why So Many Data Breach Lawsuits Fail).
Nation-State Hackers Tied to One Breach
Yahoo blamed nation-state attackers for one of its breaches. Mayer told a Congressional committee last November that it was tough for any corporation to defend against such attacks (see Former Yahoo CEO: Stronger Defense Couldn't Stop Breaches). "Even robust defenses ... aren't sufficient to protect against the state-sponsored attack, especially when they're extremely sophisticated and persistent," Mayer testified.
In March 2017, the U.S. Department of Justice indicted two Russian Federal Security Service - aka FSB - agents and two other freelance hackers for attacks against Google and Yahoo. One of the men, Karim Baratov, was extradited to the U.S., pleaded guilty to hacking Gmail and Yandex accounts, and sentenced in May (see Canadian Hacker Jailed for 5 Years Following Yahoo Breach). Baratov, however, was not accused of any involvement in the Yahoo breaches.
Timeline: Yahoo's Mega-Breaches
Breached businesses typically suffer few long-term consequences (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Aside from some hacked bitcoin exchanges that went out of business - as a result of losing all of their cryptocurrency - most hacked organizations and their stock prices soon recover.
Yahoo, however, had the misfortune to have discovered the 2013 breach, as well as the full extent of the 2014 breach, after Verizon offered to buy the struggling search giant for $4.83 billion in July 2016. The struggling search giant also faced allegations that it failed to investigate the breaches in a timely manner.
Here's a selected timeline of how and when Yahoo came clean about its breaches, and their true extent:
- July 2016: Verizon offers to acquire Yahoo for $4.8 billion.
- Sept. 22, 2016: Yahoo warns that a late-2014 breach affected 500 million or more users. The search giant says it learned about the breach from law enforcement agencies, and attributes it to an unspecified, state-sponsored actor.
- Nov. 9, 2016: In an SEC filing, Yahoo said that it was investigating if the 2014 attackers then used forged cookies to access users' accounts without authorization. Investigators later report that cookies for 32 million user accounts appear to have been stolen or used by attackers in 2015 and 2016.
- Dec. 14, 2016: Yahoo says it discovered a separate breach, which it believes occurred in August 2013, that had compromised 1 billion accounts. Yahoo says this breach is separate to the 2014 breach.
- March 2017: Probe by Yahoo's board of directors faults Yahoo's legal and senior management teams for failing to properly investigate the 2014 breach, which the company's security team had spotted. The board cancels Mayer's 2016 cash bonus as a result.
- June 16, 2017: After news of the breaches appeared to imperil the deal, Verizon closes its Yahoo acquisition for $4.48 billion - a $350 million discount off its initial bid. CEO Mayer exits with an extra $23 million in compensation, minus her title as head of Yahoo or CEO of the newly formed Altaba investment company.
- Oct. 3, 2017: Yahoo revises its August 2013 estimate of breach victims, now saying that all 3 billion of its user accounts appear to have been compromised.