Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.
Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.
In December 2016, the company announced a different breach, one that dated back to 2013, which impacted one billion user accounts. In October 2017, Yahoo admitted that the 2013 hack actually impacted all of its 3 billion users.
Several class action lawsuits were filed and the US Securities and Exchange Commission (SEC) launched an investigation into how the breaches were disclosed.
In a letter to shareholders, published on Monday on the SEC’s website, Altaba CEO Thomas J. McInerney revealed that the company expects to incur $47 million in settlement expenses related to three breach-related lawsuits.
“We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach. We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases,” McInerney wrote. “Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”
The latest breach-related settlement comes after Altaba in April agreed to pay a $35 million penalty to the SEC for not disclosing the 2014 breach to investors. In addition, a judge recently approved an $80 million settlement that Altaba agreed to pay after being accused of misleading investors about a total of four data breaches.
Commenting on the latest settlement, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said, “Class actions are known to provide their members with very modest compensation compared to individual lawsuits. The settlement (subject to approval by court) makes slightly above $10 per breached account – a scanty amount in the GDPR era. Should a similar data breach happen today with the same disclosure timeline and similar circumstances, the amount of settlement could be significantly higher. Therefore, I think this is a considerable legal victory for Yahoo’s legal team.”
Related: Target to Pay States $18.5 Million Over 2013 Data Breach
Related: Ashley Madison Offers $11 Million in Data Breach Settlement
Related: Home Depot to Pay Banks $25 Million for 2014 Breach

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
