For Yahoo, it’s back to square one. A motion to settle a lawsuit stemming from its series of data breaches has been swatted down by a California judge.
The plaintiffs in the case, who sued Yahoo after they said their personal data was stolen from Yahoo servers and sold on the dark web, had reached agreement with the tech giant on terms of a settlement.
But U.S. District Court Judge Lucy Koh rejected the agreement because she said it didn’t resolve the underlying issues. She complained that Yahoo had not committed to spend more money on security and charged the company with a lack of transparency in the wake of the incidents.
A spokesman for Verizon, Yahoo’s parent company, declined on comment on pending legal matters.
One billion user accounts
In December 2016 Yahoo confirmed that more than 1 billion user accounts had been compromised, a significant increase from the 500 million it disclosed three months earlier. It also said that it believed the first breach occurred as early as 2013.
Affected accounts contained names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. At the time Yahoo said it believed the breach was carried out with “forged cookies,” small files are generally used to store small amounts of data about specific clients or websites. In this case, hackers used forged versions to access users’ account data without needing a password.
The case centers around users’ charges that Yahoo took too long to report the data breaches. In her March ruling Koh said customers may have “taken measures to protect themselves” against identity theft and fraud had they known about the breaches sooner.
Critical of Yahoo
In rejecting the motion for a settlement, Koh was highly critical of Yahoo’s handling of the breaches and questioned its commitment to making things right.
“Yahoo has only committed to the $50 million in settlement funds and hides the total settlement fund amount,” she wrote.
Koh, who has presided over the case from the start, also said Yahoo has been vague about what steps it has taken to secure its network systems in the aftermath of the breaches.