Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.
Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.
In December 2016, the company announced a different breach, one that dated back to 2013, which impacted one billion user accounts. In October 2017, Yahoo admitted that the 2013 hack actually impacted all of its 3 billion users.
In a letter to shareholders, published on Monday on the SEC’s website, Altaba CEO Thomas J. McInerney revealed that the company expects to incur $47 million in settlement expenses related to three breach-related lawsuits.
“We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach. We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases,” McInerney wrote. “Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”
The latest breach-related settlement comes after Altaba in April agreed to pay a $35 million penalty to the SEC for not disclosing the 2014 breach to investors. In addition, a judge recently approved an $80 million settlement that Altaba agreed to pay after being accused of misleading investors about a total of four data breaches.
Commenting on the latest settlement, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said, “Class actions are known to provide their members with very modest compensation compared to individual lawsuits. The settlement (subject to approval by court) makes slightly above $10 per breached account – a scanty amount in the GDPR era. Should a similar data breach happen today with the same disclosure timeline and similar circumstances, the amount of settlement could be significantly higher. Therefore, I think this is a considerable legal victory for Yahoo’s legal team.”