A federal judge has ruled that most of a lawsuit concerning Yahoo’s data breach, which exposed the personal information of all of its 3 billion users, can proceed.
Yahoo’s parent company Verizon Communications made an effort to get the claims tossed out by arguing that it had been the target of “relentless criminal attacks”, and the plaintiffs’ “20/20 hindsight” had not affected its efforts to eliminate “constantly evolving security threats.”
However, Judge Lucy Koh ruled against the argument.
“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” Koh wrote in her decision.
Slow to alert customers
The case centers around accusations that Yahoo took too long to notify users of the breaches. Koh said customers may have “taken measures to protect themselves” against identity theft and fraud had they known about the breaches sooner.
Three major data breaches hit the company between 2013 and 2016, but they were not disclosed until 2016.
Yahoo initially said one billion users were exposed by one hack and 500 million were exposed by another. Later, the company said it believed that all of its three billion users were affected by the data breaches.
By the time the breaches came to light, several customers had data stolen by criminals who used it to file fraudulent tax returns or credit card charges. Scores of other customers had to freeze their credit and spend money on monitoring and protection services.
Claims made against Yahoo in the lawsuit include negligence and breach of contract.