Tag Archives: Yahoo Breach

Yahoo Breach Victims Can Sue

Here’s a thought.  If the lawsuit against Yahoo succeeds and the award is $10 per victim, that would be a $30 billion judgement.

The breach, you may remember, was publicly disclosed after Verizon agreed to buy Yahoo but before the deal closed.  As a result of the announcement the price was lowered by $350 million, but there were also some changes to the terms.

The changes were not all announced publicly, but likely some of the changes were related to who gets to pay for fines and penalties.

*IF* the plaintiffs win and the award is $30 billion –  two VERY BIG ifs – and even if the two companies split the $30 billion, then that $350 million discount won’t seem like much of a deal.  All of this is a big if.

For years judges dismissed these lawsuits out of hand saying that the plaintiffs didn’t suffer imminent harm or didn’t have standing at all.

In this case, the judge is someone who is familiar with both high tech and very public trials – she presided over the Apple-Samsung trial, among others.

The judge, Lucy Koh, said that it is reasonable that the plaintiffs might have chosen a different email provider if they had known that Yahoo’s email system had weaknesses.

She also said that the plaintiffs were going to be allowed to try and prove that the liability limits in Yahoo’s terms of service were unconscionable given the allegations that Yahoo knew it’s security was horrible and didn’t do much about it.

It is going to be years before anything is likely settled, but we are seeing more and more that judges are no longer siding with companies blindly saying there is nothing that companies can do to prevent breaches.

Obviously no one knows what the outcome of this trial and appeals will be, but if the plaintiffs win and if there is a big award, it would set an interesting precedent.  This case is being tried in the 9th Circuit, which is in the  heart of Silicon Valley.  If the plaintiffs win, it will definitely get the attention of every tech company in the valley.

I have heard that Yahoo did not have any cyber risk insurance.  If true, they could be digging deep in the couch cushions to pay for the trial, appeal and possible verdict.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

Courts Easing on Requirements For “Standing” in Breach Cases?

One of the things that has always been a barrier for people who’s data was compromised during a breach is what lawyers call “Standing”.  Standing derives from Article III of the U.S. Constitution.  The courts have said that there are three requirements for “standing” to bring an action against another – Injury in fact, causation and redressability.  I am not going to even try to pretend that I am a lawyer, but basically, it says that you have to suffer harm, that the harm can be reasonably linked to the action of the defendant and that a favorable court decision will reasonably redress the situation (Wikipedia).

For the most part, the courts have ruled that, most of the time, people do not have standing and therefore cannot sue.

In February, the Fourth Circuit Court of Appeals made it harder to show standing by ruling that plaintiffs had to show that the data thieves intentionally targeted the personal information that is stolen in the breach.  The decision centers on the hypothetical future harm and whether you were injured.  There have been a number of court rulings like this (Fenwick and West).

However, there are more cases that are starting to rule in the other direction.  Not overwhelmingly, and ultimately, it will likely will have to be decided by the Supremes.

Earlier this week U.S. District Court Judge Lucy Koh ruled that a case against Yahoo due to the breaches in 2013, 2014, 2015 and 2016 can proceed, in part due to the actions of Yahoo in not disclosing for years that the breaches occurred.

Before this is blown out of proportion, Judge Koh is only a District Court judge.  On the other hand, she was the presiding judge in Apple v. Samsung and made companies like Adobe, Google and Intel bow to her will, so her opinion is not like that of some guy in a diner.

Verizon, who bought Yahoo, had hoped that this case would just go away, but at least, for right now, the case will move forward.

Judicial doctrine takes years, even decades, to create.  The doctrine in this case is no different.  When it comes to determining standing with respect to the Constitution, it will take time.  This is just another building block as the courts continue to figure this out.

When companies reimburse people after a credit card breach or offer them credit monitoring, it is to reduce the injury-in-fact part. This, in turn, makes it harder for people to have standing.

The Yahoo case is a little different.  Since they kept the breaches secret for years;  didn’t offer to reimburse people and didn’t offer credit monitoring, they did little to reduce the injury-in-fact part.  In fact they didn’t even tell people so that they could do these things themselves.

Companies have to make this particular decision all the time.  Do we disclose a breach or keep it secret?  Do we endure the bad P.R. or do we hope that word doesn’t get out.    In Yahoo’s case, the shareholders got to take a $350 million haircut in the form of a reduced purchase price, along with having to own responsibility for certain legal costs associated with the breach as a result of that decision.

As this case moves forward, other companies will be watching closely.  Again, this is just one piece in a very large puzzle.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

DoJ Indicts 4 In Old Yahoo Breach

Today the Department of Justice announced the indictment of 4 in the 2013 Yahoo breach – three years after it happened.

Two of the people indicted are members of the Russian FSB.  Under Russian law, the FSB is part of the Russian military and responsible for, among other things, counterespionage.

The other two indicted are Russian hackers, hired, the DoJ says, by the FSB to do some of the dirty work.

As has already been reported, once a hacker has access to a user’s Yahoo mail credentials, that also gives them, similar to GMail, access to all of the other Yahoo services such as Flickr, Tumbler and others.

The FSB, the successor to the KGB, is responsible for counterespionage, among other responsibilities.

The DoJ says that the FSB wanted access to the Yahoo accounts of journalists, dissidents and U.S. Government Officials So that they could find out what they are up to and alternatively, to blackmail them.

I wasn’t aware of this, put apparently the FSB has a bit of a capitalist leaning, even though they are Russian.  The FSB took what they wanted from the hack and allowed the hackers to use the rest of the data for their own thieving purposes.

One of the hackers was arrested in Moscow in December.  Needless to say, the Russians are not likely to turn him over to us.

One of the other people charged was in custody in Greece for some time but managed to make his way back to Russia.

The other hacker-mercenary was born in Kazakhstan but is a Canadian citizen.  He was arrested in Canada yesterday.  The Canadians will likely turn him over to the U.S. authorities.  He is likely the only one of the four that the U.S. will get their hands on.  UNLESS, one of them is stupid and decides to travel to a country more friendly to the U.S. than Russia.  Believe it or not, that has occurred on more than one occasion.

It is certainly possible that President Trump could add additional sanctions against Russia as President Obama did last year.  That is an option available to the U.S. if it chooses.

The indictments are also useful to let people know that even if the U.S. cannot capture the bad guys, they do have the ability, in a few very high profile cases, to spend the resources to identify the bad guys.  That might dissuade at least a few hackers who think that they might be caught.

In the grand scheme of things, most hackers understand that in 99.9% of the cases, unlike a case where 500 million accounts were hacked and another 1 billion accounts at the same company were later hacked, the FBI is HIGHLY unlikely to spend the resources to find the culprit, so they are reasonably safe.

As it is said, pigs get fat but hogs get slaughtered – in other words, keep your hack small enough to be below the interest level of the law enforcement establishment.

Since a large percentage of the bad guys hail from countries that are not terribly friendly with us – ones which whom we do not have extradition treaties – the FBI likely calculates the odds of being able to actually lay their hands on the bad guys as part of the calculus of how much of their limited resources to expend tilting at windmills.  And the bad guys know this.  Of course, some of the hackers are in America and some of them do get caught.  However, as is the case with many other crimes, the crooks make a calculated assumption that THEY are not going to get caught, even if other crooks will get caught.

Unfortunately for us, in many cases the crooks are right and the odds are in the crook’s favor.  And definitely, the odds are, almost always, against the FBI.

Information for this post came from the Washington Post.

Facebooktwitterredditlinkedinmailby feather