Finally! Cash Settlement For Billions Of Hacked Yahoo! Customers
By: Jim Stickley and Tina Davis
December 31, 2019
If you were one of the many affected by the two Yahoo! mega data breaches, you’re in good company. Waiting for approval by a California court (scheduled for April 2020), the settlement offers those affected the choice of up to $358 cash or two free years of credit monitoring. In 2016, the company acknowledged two breaches occurred, putting three billion of their customers’ usernames, email addresses, telephone numbers, birth dates, and passwords in the hands of bad actors. Yahoo! claims neither breach involved stolen financial data like bank account and credit card numbers. Their customers are left hoping Yahoo! is right about that. This latest settlement mirrors the one Equifax created after their 2017 mega breach involving 147 million people. Now that mega breaches are becoming just another cost of doing business, paying customers for their inconvenience appears to be way things are trending.
Although the company waited up to three years to announce the breaches, Yahoo! finally admitted the first incident occurred in 2013. At that time, one billion Yahoo! customers had their PII (Personally Identifiable Information) hijacked by what the company called an “unauthorized third party.” Just one year later, 500 million Yahoo! users and their PII were compromised by a “state sponsored actor.” Regardless of who was at fault, three billion customers were left not knowing if their PII is being abused, and many had lengthy credit messes to clear up at their own expense. Yahoo! claims if there is a paper trail showing the cost and extent of the damage, they will reimburse the dollar amount and time spent fixing it. Yahoo!’s actions are very much like those of Equifax after their 2017 breach and are similarly structured. It appears many vulnerabilities in the Equifax systems were reported by their security consulting firm, but none of the flaws were acted upon. One theory for the breach was that an employee tasked with applying a security patch failed to do so, opening the door for cybercriminals.
Years later, it’s clear we may never know the truth behind the Yahoo! breaches. The only consolation is that the company is held financially responsible by the resulting class action lawsuit, and going directly to the website is the first step in getting compensated. The final amount victims will see is the $358 maximum settlement which could go lower depending on how many actually file claims. Should victims not already have credit monitoring, it’s suggested they take the two free years offered. It’s up to each individual to quantify their inconvenience, but the biggest bang for their buck could end up being the peace of mind that comes with knowing their credit is being looked after. Just remember that credit monitoring is not the same as credit protection. These organizations watch for strange activity, but do not stop it from happening. They will let you know it happened so you can react quickly and prevent further damage.
No matter the settlement choice, the real cost of the data breach should be to the company. They’re very aware the actual cost of losing consumer confidence is something even they can’t put a price tag on.