The Yahoo class action lawsuit specifically covers three data breaches that affected the web portal’s users’ personal information:
a 2013 event in which hackers were able to access all 3 billion Yahoo accounts
a 2014 attack, which the firm said had affected more than 500 million accounts
a breach that happened between 2015-16, in which the plaintiffs allege that the data stolen in 2014 was used to gain access to specific user accounts
The lawyers pursuing the case noted that Yahoo had repeatedly delayed notifying the public of the incidents until some time after it had become aware of them.
In one instance, the business acknowledged it had paid for data from millions of its hacked accounts that had been advertised on the dark web, but disputed claims that it had failed to prevent the information being purchased by others.
Among the evidence presented to the court was a report submitted by the plaintiffs that alleged there had been further breaches dating back to 2008 involving “several million accounts”, which Judge Koh noted that Yahoo continued to deny.
Yahoo was taken over by the telecoms firm US Verizon in 2017 in a $4.5bn deal.
Firstly, Judge Koh said she was dissatisfied that it released Yahoo from having to make further payouts related to breaches prior to 2013.
Since the firm had not admitted to any such events, the judge said the court was unable to evaluate what harm might have been experienced by users.
Judge Koh added that a failure to disclose the total size of the settlement fund meant that those affected would be unable to determine if it was reasonable.
In addition, she expressed concern that the sum that could be claimed by the 140 lawyers pursuing the case “may be unreasonably high”.
The judge also claimed Yahoo had publicly declared an “inflated, inaccurate” estimate of the number of users affected while filing under seal – meaning it does not become part of the public record – “a more accurate, much smaller number”.
This might reduce the amount that could be claimed by each victim and act as a disincentive to them seeking recompense.
Furthermore, the judge criticised the tech firm for making only “vague commitments” to improve its cyber-security.
“Yahoo’s history of non-disclosure and lack of transparency related to the data breaches are egregious,” Judge Koh concluded.
“Unfortunately, the settlement [and related filings] continue this pattern of lack of transparency.”
Her refusal to accept the deal means the two sides will have to consider new terms.
A spokesman for Verizon said it did not discuss pending litigation.
The plaintiffs’ lead law firm has not responded to a request for comment.