igor - Fotolia

Yahoo sued over data breach

Yahoo is facing a class action lawsuit that alleges that the internet firm showed a reckless disregard for the security of its users that resulted in a breach affecting half a billion accounts

A New Yorker is suing Yahoo over a recently confirmed 2014 data breach that the company said exposed personal details of “at least” 500 million accounts.

Ronald Schwartz has accused Yahoo of gross negligence and filed a lawsuit on behalf of all those affected by the breach in the US, reports Sky News.

The lawsuit seeks unspecified damages in compensation for Yahoo’s failure to prevent the breach by improving security measures and the company’s “reckless disregard for the security of its users’ personal information that it promised to protect”.

Confirmation of the breach is the latest misfortune to hit the beleaguered company that has failed to turn around its fortunes under seven successive CEOs or acting CEOs after declines in the face of competition from the likes of Google and Facebook.

After current CEO Marissa Mayer’s string of acquisitions and other initiatives aimed mainly at mobile services failed to deliver, the company finally decided to sell its core business to Verizon.

Although Yahoo confirmed it had reached an agreement to sell its core business to Verizon Communications for $4.83bn in cash in July 2016, the deal has not yet closed and could now be in jeopardy as a result of the massive breach confirmation and resulting criticism of Yahoo’s security.

Verizon has issued a statement, saying: “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”

The New York lawsuit comes as security company Venafi said an investigation had revealed that security at Yahoo remains poor despite the company’s claims to the contrary.

Read more about data breaches

“Companies will get breached, that’s not news – and I don’t think customers believe any differently. What customers do implicitly expect from companies is that threats and breaches are detected in a timely manner and remedial actions taken,” said Javvad Malik, security advocate at security firm AlienVault.

“It is essential for companies to put in place robust threat detection and response controls to be able to react in a timely manner whenever a breach occurs. This can minimise the impact to its customers and own business operations,” he said.

Gubi Singh, chief operating Officer at security firm Redscan, said while civil litigation against a company hit by a cyber attack is not yet common, high-profile cases against companies, including T-Mobile, Experian and Target Corporation, have been reported in recent years.

“The challenge for any customer thinking about taking out legal action is proving they have incurred direct financial loss as a result of their personal data being compromised. Awards for distress are uncommon, so this appears to be the main factor holding back claims,” he said.

Until companies start doing more to protect the data that they hold, Singh said an increasing number will face the threat of legal action – not just from customers, but also from suppliers and industry regulators.

“Mounting financial and reputational costs of a breach can easily exceed investment in more effective defences. When the GDPR is enforced, any organisation handling EU citizens’ data could face significant fines for failing to keep that data safe,” he said.

Lawsuit complications

However, some commentators have expressed doubts that litigation on its own will force companies to protect themselves better, while others have pointed out that the class action will face some challenges.

“First, with so few technical details available now about how the bad guys got in, it is very hard to make a case for gross negligence,” said Jonathan Sander, vice-president of product strategy at Lieberman Software.

“The lawsuit assumes Yahoo must have been lazy or incompetent in some way but, when you’re as big a target as they are, you can do everything right and still get cracked,” he said.

“There simply aren’t enough security controls in the world to keep up with the flaws, vulnerabilities and other attacks the bad guys can deploy when they’re truly determined.”

Another issue, said Sander, is measuring how secure Yahoo was when they were breached. “There really aren’t good standards for this. There aren’t even widely accepted legal definitions – ideas that are well tested in court,” he said.

According to Sander, Yahoo could argue they seriously strived to meet all those controls and more. “A lawsuit like this will likely come down to how contrite and competent Yahoo seems in court, even though that has so little to do with why the breach took place,” he said.

Read more on Privacy and data protection