US judge allows Yahoo to be sued for 2013 data hacks

13 Mar 2018

A US judge has ruled that victims of the massive data breaches that exposed 3 billion email accounts in 2013, but disclosed only on 2017, could sue Yahoo.

US district judge Lucy Koh in San Jose, California, ruled that users may have acted differently had the company been more forthcoming about the hacks, while rejecting a bid by Verizon Communications, which bought Yahoo's Internet business for $ 4.5 billion in June 2017 (See: Verizon completes $4.5bn acquisition of Yahoo).

However, the judge also dismissed many claims, including negligence and breach of contract. She had earlier refused Yahoo's bid for dismissal of some unfair competition claims.

Back in October 2017, Yahoo announced its 2013 security breach exposed all 3 billion of its users (See: Yahoo now says all 3 billion accounts breached in 2013 hack). 

Yahoo had then said it obtained the new information after Verizon acquired it. It had earlier revealed that only 1 billion accounts had been compromised.  The stolen information didn't include passwords in clear text, payment data or bank account information, it had said.

Based on the new revelation, the plaintiffs amended their complaint. they had claimed the hack led to their information being leaked and subsequently used for fraudulent activities. They alleged that Yahoo knew about security vulnerabilities back in 2012 and about a 2014 hack as it occurred.

According to judge Koh, the amended complaint highlighted the importance of security in the plaintiffs' decision to use Yahoo.

Reuters quoted the judge as saying, ''Plaintiffs' allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,'' Koh wrote.

She also said the plaintiffs could try to show that liability limits in Yahoo's terms of service were''unconscionable,'' given the allegations that Yahoo knew its security was deficient but did little.

Seeking a dismissal, Yahoo claimed it had relentlessly faced criminal attacks for long.

Last March, US prosecutors charged two Russian intelligence agents and two hackers in connection with one of the Yahoo breaches, the Reuters report added, the Reuters report said.

Newsweek quoted US Attorney for the Northern District of California Brian Stretch as then saying, ''Silicon Valley's computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives.

"The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise.''