American multinational technology company Yahoo has been hit with a class-action lawsuit by a user accusing the company of gross negligence over a massive 2014 data breach in which personal information of at least 500 million users was stolen.
New York resident Ronald Schwartz on behalf of all Yahoo users in America, whose personal information was compromised, has filed the lawsuit on Friday (23 September) in the federal court in San Jose, California. The suit seeks class-action status and unspecified damages
Yahoo on 22 September had disclosed that sensitive user information including names, email addresses, phone numbers, birth dates and encrypted passwords of "at least" 500 million user accounts had been compromised in late 2014 in what has been dubbed the "biggest data breach in history."
"A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company's networks in late 2014 by what it believes is a state-sponsored actor," Yahoo chief information security officer Bob Lord said in a statement. "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt), and, in some cases, encrypted or unencrypted security questions and answers.
"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank information are not stored in the system that the investigation has found to be affected."
He added that the company is working closely with law enforcement to address the matter. The FBI has already confirmed that it is investigating the hack.
Represented by two large US class-action specialists, law firms Robbins Geller Rudman & Dowd and Labaton Sucharow, Shwartz's lawsuit alleges that Yahoo's actions constituted "a reckless disregard for the safety and security of Yahoo users' personal information."
The lawsuit suggests that the breach could have been prevented if the Sunnyvale, California-based company, which had been targeted by threat actors before, upheld its promise of taking user privacy "seriously" and bolstered its security efforts. The plaintiffs also criticized the company for taking around three times longer than companies usually need to detect and fully acknowledge a breach.
It also claims that Yahoo has not offered its users any assistance with identity theft protection, as other companies have in the event of a data breach. Given the fact that users whose information was compromised in the massive breach are "now at a much higher risk of having their identities stolen and must pay out of their own pockets to protect themselves," the lawsuit asserts that Yahoo should be responsible for "damages caused to its users."
"Yahoo's failure to safeguard its users' very personal, sensitive information, in direct violation of its promises, is utterly unacceptable in this day and age," attorneys from Labaton Sucharow and Robbins Geller said in a joint statement. "The fact that a breach of this magnitude went undetected at a tech giant like Yahoo for two years is astounding."
More than 8 million user accounts in the UK are believed to have been affected by the unprecedented data breach with all users urged to change their passwords if they haven't done so since 2014. Internet service providers Sky and BT, who both use Yahoo's email services to power their own, have also issued warnings for customers that may have been affected by the breach.
The Information Commissioner's Office (ICO) described the data loss as "staggering," warning that it is a "sobering and important message" for companies that acquire and handle personal data and the severe potential consequences that could come with a security hack.
Some investors are also concerned that the recently revealed breach could affect the company's $4.8bn (£3.7bn) deal to sell its core business to telecom giant Verizon that was inked in July.
"Yahoo is likely to come under intense scrutiny from regulators, the media and public and rightly so," Nikki Parker, vice-president at security company Covata, told the BBC. "Corporations can't shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem.
"Let's hope the ink is dry on the contract with Verizon."