Yahoo must face litigation on behalf of more than a billion users whose personal information was compromised in a massive data breach, a US judge has ruled.
The internet company now known as Oath, after it was bought by Verizon for $4.5bn this year, was attacked by hackers between 2013 and 2016, exposing the data of customers of its services.
US District Judge Lucy Koh ruled late on Wednesday that a class-action lawsuit can go forward because all the plaintiffs have an “alleged risk of future identity theft” as well as a “loss of value of their personal identification information”. Some of the plaintiffs had spent money to try to protect themselves from identity theft, she added.
She rejected Yahoo’s argument that the hacking victims do not have standing to sue, saying they could pursue breach of contract and unfair competition, because they could have taken action to close their accounts if they had known about the data breaches.
Yahoo admitted earlier this year that senior executives and relevant legal staff knew in 2014 about a hack by a state-sponsored attacker. An investigation by an independent committee found that they did not “properly comprehend or investigate” the incident to the full extent of what was known by Yahoo’s cyber security team.
Two cyber attacks were announced after Verizon agreed to buy the company last summer. In September 2016, Yahoo said it had evidence of the 2014 breach, which affected up to 500m accounts. Then in December 2016, it said it had discovered a second large data breach, which affected up to a billion accounts in 2013. Other breaches occurred up until last year.
After negotiations, the US telecoms group cut its offer price by $300m because of potential liabilities from the hack. Verizon did not respond to a request for comment.
The US Department of Justice charged two officers of the Russian Federal Security Service and two hackers in March, in connection with the second breach in late 2014.
The plaintiffs representing a class of Yahoo users in the US have alleged the hack caused them financial problems.
Kimberley Heines, a California resident, claims her Yahoo email account included information related to the service through which she claims her social security benefits, which were later stolen. Hasmatullah Essar, a Colorado resident, and Paul Dugas, a California resident, both said that unauthorised people had fraudulently filed tax returns under their social security numbers. Others reported credit card fraud and people sending unauthorised and inappropriate emails to business contacts.