Yahoo has agreed to pay $50 million in a preliminary settlement of a US federal lawsuit stemming from a series of data breaches that affected three billion users.
In a deal scheduled for final approval by the US District Court in San Jose, California, Yahoo will compensate 200 million affected account holders across the United States and Israel.
Yahoo has also agreed to provide two years of credit monitoring and identity theft insurance free of charge to eligible account holders.
The $50 million fund will be distributed to members of the class-action lawsuit to reimburse paid users for up to 25 per cent of their service charges, as well as cover the cost of any financial damages related to the breaches.
Yahoo will also pay up to $35 million in legal fees. The cost will be split between Verizon Communications, which acquired Yahoo’s core business last year, and Altaba, a company set up to manage Yahoo’s remaining investments and assets.
According to the agreement, claims can be submitted by all eligible Yahoo account holders that suffered financial losses in connection to the incident. Losses can include reimbursement for fraudulent charges, delayed federal tax refunds or other issues linked to having personal information compromised online.
The fund will compensate eligible account holders for time spent fixing any issues arising from the security breach at a rate of $25 per hour. Account holders with documented losses will be reimbursed up to 15 hours of lost time, totalling $375. Users that cannot document losses are eligible to file claims of up to $125. Yahoo users that paid up to $50 annually for a premium email account will also be eligible for a 25 percent refund.
Yahoo has appointed AllClear ID, a Texas-based online consumer protection firm, to manage the credit monitoring and repair services that will be provided to eligible account holders as part of the agreement. The firm will provide services with a retail value of $180 per year.
According to sources close to Yahoo, the company’s legal team are positive about the agreement, given the uncertainty of a potential verdict had the case headed to litigation. Industry experts have assessed the value of the data lost in the attack range from $1 to $8 per account, suggesting that Yahoo could have been ordered by the court to pay affected account holders up to $1 billion had it lost the case at trial.
This news follows an announcement in April of this year that Altaba agreed to pay a $35 million fine to the US Securities and Exchange Commission (SEC), settling charges that the company misled investors by failing to disclose the data breaches, which occurred in 2013 and 2014 but were not revealed until two years later.
US federal law enforcement officials confirmed that hackers based in Russia had stolen sensitive data such as Yahoo usernames, addresses, phones numbers, and security questions and answers for hundreds of thousands of accounts. Yahoo claimed that hackers did not obtain credit card information, bank account information, or passwords.
Yahoo revealed the incident to the public only after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon. It was later confirmed that the final sell price was discounted by $350 million, accounting for a potential loss of brand reputation and possible financial impacts of the breaches.
Yahoo previously disputed estimates of potential damage related to the breach, claiming that many of its account holders had register false information about their birthdates, names, and other personal data when signing up for email accounts.
In a security hearing before the US Senate Commerce Committee, Yahoo executives claimed that they had not been able to identify the method of intrusion, or the exact source of the breach. The company did not notice that it had been compromised in until third party evidence of the breach was presented by federal law enforcement in 2016.
A hearing to approve the preliminary settlement is scheduled for 29 November before Judge Lucy Koh at the US District Court for the Northern District of California in San Jose.
If approved, notices will be emailed to all affected account holders and published in the print editions of People and National Geographic magazines.
Yahoo has not yet issued a public statement about the settlement.
