By Jonathan Stempel
Reuters
Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history.
The proposed class-action settlement made public Tuesday was designed to address criticisms of U.S. District Judge Lucy Koh in San Josea. She rejected an earlier version of the accord on Jan. 28, and her approval is still required.
Koh said the original settlement was not “fundamentally fair, adequate and reasonable” because it had no overall dollar value and did not say how much victims might expect to recover. She also said the legal fees appeared to be too high.
Yahoo, now part of New York-based Verizon Communications, had been accused of being slow to disclose three data breaches affecting about 3 billion accounts from 2013 to 2016.
The new settlement includes at least $55 million for victims’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees, and up to $8.5 million for other expenses.
It covers as many as 194 million people in the United States and Israel with roughly 896 million accounts.
John Yanchunis, a lawyer for the plaintiffs, in a court filing called the $117.5 million the “biggest common fund ever obtained in a data breach case.” He did not immediately respond to requests for additional comment.
Separately, Verizon agreed to spend $306 million between 2019 and 2022 on information security, five times what Yahoo spent from 2013 to 2016. It also pledged to quadruple Yahoo’s staffing in that area.
“The settlement demonstrates our strong commitment to security,” Verizon said in a statement.
Yahoo agreed in July 2016 to sell its internet business to Verizon for $4.83 billion. Only later did it reveal the scope of the breaches, prompting a price cut to $4.48 billion. Verizon wrote off much of Yahoo’s value in December.
U.S. prosecutors charged two Russian intelligence agents and two hackers in connection with one of the breaches in 2017. One hacker later pleaded guilty.