Yahoo strikes US$117.5m data breach settlement after earlier accord rejected

[NEW YORK] Yahoo has struck a revised US$117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history.

The proposed class-action settlement made public on Tuesday was designed to address criticisms of US District Judge Lucy Koh in San Jose, California. She rejected an earlier version of the accord on Jan 28, and her approval is still required.

Judge Koh said the original settlement was not "fundamentally fair, adequate and reasonable" because it had no overall dollar value and did not say how much victims might expect to recover. She also said the legal fees appeared to be too high.

Yahoo, now part of New York-based Verizon Communications Inc, had been accused of being slow to disclose three data breaches affecting about 3 billion accounts from 2013 to 2016.

The new settlement includes at least US$55 million for victims' out-of-pocket expenses and other costs, US$24 million for two years of credit monitoring, up to US$30 million for legal fees, and up to US$8.5 million for other expenses.

It covers as many as 194 million people in the United States and Israel with roughly 896 million accounts.

John Yanchunis, a lawyer for the plaintiffs, in a court filing called the US$117.5 million the "biggest common fund ever obtained in a data breach case." He did not immediately respond to requests for additional comment.

Separately, Verizon agreed to spend US$306 million between 2019 and 2022 on information security, five times what Yahoo spent from 2013 to 2016. It also pledged to quadruple Yahoo's staffing in that area.

"The settlement demonstrates our strong commitment to security," Verizon said in a statement.

Yahoo agreed in July 2016 to sell its internet business to Verizon for US$4.83 billion. Only later did it reveal the scope of the breaches, prompting a price cut to US$4.48 billion. Verizon wrote off much of Yahoo's value in December.

US prosecutors charged two Russian intelligence agents and two hackers in connection with one of the breaches in 2017. One hacker later pleaded guilty.

REUTERS