Yahoo has reportedly reached a revised $117.5m (£89.7m) settlement with millions of victims whose email addresses and other personal information were stolen in the largest data breach ever recorded.
The proposed settlement was publicly announced on Tuesday, but it still needs to be approved by US District Judge Lucy Koh, based in San Jose, California, Reuters said.
In January, she rejected an earlier version of the proposed settlement because it had no overall dollar value and did not specify how much victims might expect to recover.
Three breaches took places between 2013 and 2016, with a total of 3bn accounts affected. Users accused the company of not disclosing the breaches fast enough.
Yahoo data breach settlement
The new settlement includes at least $55m (£42m) for victims’ out-of-pocket expenses and other costs. It also included $24m (£18.3m) for two years of credit monitoring, up to $30m (£22.9m) for legal feeds, and up to $8.5m (£6.4m) for other expenses.
It covers as many as 194m people in the United States and Israel with roughly 896m accounts.
John Yanchunis, a lawyer for the plaintiffs, in a court filing, called the $117.5m (£89.7m) settlement the “biggest common fund ever obtained in a data breach case”, Reuters reported.
Separately, Verizon agreed to spend $306m (£233m) between 2019 and 2022 on information security, five times what Yahoo spent from 2013 to 2016. In addition, it pledged to quadruple Yahoo’s staffing in that area.
“The settlement demonstrates our strong commitment to security,” Verizon said in a statement.
In July 2016, Verizon acquired Yahoo for $4.83bn (£3.69bn). Only later did it reveal the scope of the breaches, prompting a price cut to $4.48bn (£3.42bn). Verizon wrote off much of Yahoo’s value in December, according to Reuters.
US prosecutors charged four men, including two Russian intelligence agents and two hackers, for one of the breaches in 2017. One hacker later pleaded guilty.
“On average that is 25 dollars per compromised account, embarrassingly modest compensation for breach of your privacy and stolen personal data,” said Ilia Kolochenko, CEO of the Web security firm, High-Tech Bridge.
“However, it’s pretty widespread for class actions that usually enrich the attorneys, not the victims. Otherwise, the settlement conveys an illusory message of relatively modest penalties for negligent data protection. In 2019, even a less severe breach is capable of exposing your company to incomparably severe and harsh sanctions in different jurisdictions. We have to take cybersecurity seriously or pay a considerable price.”