Yahoo agrees to pay $50 million in data-breach settlement and give affected users free credit monitoring services
Yahoo has agreed to pay $50 million in data-breach settlement to 200 million victims of what is believed to be the biggest data breach ever. The company will also provide two years of free credit-monitoring services to these affected users in the U.S. and Israel.
The security breaches that took place on two separate occasions in 2013 and 2014 was not disclosed by Yahoo until 2016. The data breach exposed usernames, email addresses, phone numbers, birth dates, security questions and answers, backup email addresses, and phone numbers.
“We are pleased that we were able to reach a settlement with Yahoo, which would provide relief to impacted users and ensure that Yahoo improves its security practices going forward,” said John Yanchunis, lead counsel of Morgan & Morgan in Tampa, Florida, in a statement on Tuesday.
The settlement filed late on Monday in a 2-year-old lawsuit that holds Yahoo accountable will see $50 million go to Yahoo users whose accounts were affected by the digital burglaries in 2013 and 2014, as part of the settlement. The company will also pay $35 million in legal fees.
Yahoo accountholders who paid $20 to $50 annually for a premium email account will be able to claim a 25% refund. According to the proposed settlement, the fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent handling issues related to the breach. However, the amount of compensation for those who have documented losses will be capped at 15 hours of lost time, or $375, while those without such information can ask for up to 5 hours, or $125.
Also, those who choose to receive credit monitoring could have it for at least two years. The free credit monitoring service’s value was pegged at about $359 for two years, although the settlement didn’t disclose how much Yahoo said it would pay to provide the coverage.
The lawyers representing Yahoo accountholders have a big incentive to get the settlement approved. If the settlement goes through, Yahoo will pay them up to $37.5 million in fees and expenses.
Verizon, which acquired Yahoo in 2017, will pay half the settlement cost, while Altaba, the company formed from the remainder of the Yahoo business, will pay $35 million imposed by the US Securities and Exchange Commission (SEC) for Yahoo’s failure in disclosing the breach in 2014 to the investors.
It wasn’t until last year that Yahoo admitted that the 2013 hack actually affected all 3 billion user accounts. The data breach is still under investigation, and the U.S. Department of Justice has charged Russian hackers with the 2014 breach that affected 500 million accounts.
A hearing on the proposed settlement is scheduled on Nov. 29 in U.S. District Court before U.S. District Judge Lucy Koh in San Jose, California. If the settlement gets approved, notices will be emailed to affected accountholders and published in People and National Geographic magazines.
Oath, the Verizon subsidiary that now oversees Yahoo, said through a spokesman Tuesday that it does not comment on lawsuits.