[BreachExchange] Yahoo clients sue after data breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 26 19:27:14 EDT 2016


http://www.iol.co.za/business/international/yahoo-clients-
sue-after-data-breach-2072787

Yahoo is being accused in lawsuits of failing to secure customer data after
the company said the personal information of at least 500 million users was
stolen in a 2014 hack.

As a result of the company’s “failure to establish and implement basic data
security protocols, contrary to Yahoo’s guarantees, its users’ personal
information is now in the hands of criminals and/or enemies of the US”,
according to the latest complaint, filed on Friday in federal court in San
Jose, California.

The case was filed by a New York resident and seeks class-action status on
behalf of other Yahoo users. Similar cases have been filed in Illinois and
San Diego.

The disclosure of the data theft comes at a particularly sensitive time for
Chief Executive Officer Marissa Mayer, as she navigates the company toward
a planned $4.8 billion acquisition by Verizon Communications, set to close
by early next year. Mayer, who has dealt with difficulties and complaints
about Yahoo’s e-mail service in the past, needs to keep users logging in to
drive traffic and draw the advertising that fuels the company’s revenue
growth, which has been sluggish under her leadership.

Yahoo spokesman Charles Stewart declined to comment on the San Jose
complaint.

Compromised accounts

Plaintiff Ronald Schwartz is asking the court to require Yahoo to
compensate users for any damages resulting from fraud and to pay for
measures to identify and safeguard compromised accounts.

Schwartz slammed Yahoo for failing to discover the data breach until a few
months ago.

“Defendant’s misconduct was so bad that it evidently allowed unauthorised
and malicious access to plaintiff’s and the class’s personal information on
defendant’s computer systems to continue unimpeded for nearly two years,”
according to the complaint.

The attacker was a “state-sponsored actor”, and stolen information may
include names, email addresses, phone numbers, dates of birth, encrypted
passwords and, in some cases, un-encrypted security questions and answers,
Yahoo said on Thursday in a statement. The continuing investigation doesn’t
indicate theft of payment card data or bank account information, or
unprotected passwords, the company said. Affected users are being notified,
accounts are being secured, and there’s no evidence the attacker is still
in the network, Yahoo also said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160926/7539cd54/attachment.html>


More information about the BreachExchange mailing list