Judge lets hackers’ victims seek payback
Yahoo can’t escape claims that it should pay punitive damages over data breaches that left information on 3 billion customers in hackers’ hands.
Customers make a plausible argument that high-ranking executives and managers at Yahoo engaged in “malicious conduct,’’ the standard for seeking punitive damages on top of ordinary compensation, U.S. District Judge Lucy Koh said in a ruling in San Jose.
“The claims are baseless, and can’t comment beyond that because of pending litigation,” said Bob Varettoni, a spokesman for Verizon, which acquired the Internet firm last year, shaving $350 million off its value because of the breach. Punitive damages could be in the hundreds of millions of dollars.
Yahoo reached an $80 million settlement this month with investors over claims that executives concealed the data breaches to artificially inflate share prices. Under the accord, investors are due to get 12 cents for each share of Yahoo stock they owned.
With the investor claims settled, Yahoo will probably move to resolve the consolidated customer cases, said Rahul Telang, a professor of information systems at Carnegie Mellon University in Pittsburgh. “I foresee a settlement in the hundreds of millions rather than billions,” Telang said.
Anthem set the record for a data breach settlement when it agreed last year to pay customers $115 million over a 2015 cyberattack that compromised data on 78.8 million people. That case was also before Koh, who has proven to be tough on companies that allow private customer data to be stolen or sold for commercial marketing.
Pending litigation against Equifax in Atlanta over claims that its negligence allowed hackers to steal sensitive credit data from almost half the U.S. population is expected to extend the largest amount for a consumer recovery.
Verizon bought Yahoo’s online businesses, which includes its email service, sports and finance new sites, for $4.5 billion to combine it with its AOL operation. The combined companies operate under the name Oath.
The remainder of Yahoo, which include stock in China’s Alibaba Group Holding Inc. and Yahoo Japan worth more than $40 billion, went into Altaba Inc. Verizon and Altaba agreed to evenly split all costs tied to lawsuit liability over the data breaches as part of the Yahoo acquisition deal.
Koh said in her ruling Friday that customers produced evidence showing that Yahoo’s top computer-security officials knew about the repeated breaches and did nothing to address them. Yahoo’s approach to the breaches was to “sweep it under the rug,” the judge said.
The breaches threatened the Verizon deal, cost millions of dollars in legal fees and spurred more than 40 lawsuits, which have been consolidated before Koh for pretrial information exchanges.
Yahoo customers contend that as a result of the lax security, their data has been used to steal money from bank accounts, create credit problems and resulted in fraudulent tax filings.
Last year, the U.S. accused Russia of directing some of the world’s most notorious cybercriminals to break into Yahoo in 2014 in a criminal indictment alleging a widespread conspiracy by two Russian FSB security agents and a pair of hackers.
Koh is due to decide whether to give preliminary approval to the settlement with investors on May 3, according to court dockets. Lawyers for Yahoo shareholders are requesting $20 million in legal fees.
“A recovery of 12 cents a share doesn’t sound like a victory for shareholders,” said Erik Gordon, a professor at the University of Michigan’s Ross School of Business. “This sounds like more a victory for their lawyers.”