SAN JOSE, Calif. (CN) – Yahoo is on the hook for a slate of claims relating to a series of massive data breaches, including the largest one in history that took place in 2016.
U.S. District Judge Lucy Koh denied in part and granted in part Yahoo’s motion to dismiss the claims of plaintiffs who say they suffered financial injury due to the technology company’s failure to secure their personal information.
However, the most important claims of the plaintiffs will move forward and Koh has given them leave to amend their complaint to address shortcomings in the rest of their pleadings.
Yahoo attempted to argue the plaintiffs lack standing because they suffered no injury as a result of the breaches, or were reimbursed for the injury they did suffer or could not trace their injury as a direct cause of the data breach.
Koh rejected those arguments as unpersuasive.
“The court agrees with plaintiffs that plaintiffs have adequately alleged injury in fact,” Koh wrote in a 93-page ruling issued late Wednesday evening.
Koh went on to say that along with sufficiently pleading the data breach has exposed them to potential harm, some of the plaintiffs have already alleged financial injury resulting from the breach.
California resident Kimberly Heines said that soon after the breach occurred she discovered her social security benefits had been stolen and used to provide gift cards. As a result, Heines fell behind on bills and eventually incurred late fees, all of which amounted to a significant financial strain.
“Several United States plaintiffs allege that their stolen PII has already been misused by identity thieves and that they have experienced concrete harms as a result,” Koh wrote in the ruling.
PII stands for personally identifiable information, which has found to be of value by several courts in other similar data breach cases, meaning people whose data has been compromised, stolen or sold as a result of insufficient cybersecurity have standing to sue.
Yahoo argued some of the plaintiffs lacked standing because they were reimbursed already for the loss of their PII, but Koh found the argument unpersuasive.”
The case grew out of an admission by the company that half a million email accounts had been breached during 2014, with criminal hackers able to obtain passwords, social security numbers, names and addresses, telephone numbers and in some cases bank accounts and other private financial information.
Then late last year, the company also copped to another data breach in 2013, which may have led to the release of personal information of more than a billion internet users, including social security numbers, names, addresses, passwords and answers to security questions.
The class of plaintiffs have further alleged that Yahoo was hacked again in 2016, likely by the same syndicate that pulled off the 2014 hack, this time using Yahoo’s own ‘cookies’ to gain access to almost the entire network of the company’s account holders. Cookies store the login information of individual account holders so that users don’t have to login to emails every time they use the computer.
Plaintiffs claim that hackers forged those cookies allowing them to access accounts without the use of passwords and to remain illegally logged on to various accounts for longer periods of time.
The central claims put forward by several classes of plaintiffs say that Yahoo not only did not do enough to protect the data from hackers, but also failed to disclose the 2013 and 2014 breaches in a timely manner, likely because the company was soliciting offers to buy the company.
“Plaintiffs also allege that ‘[b]y intentionally failing to disclose the breach in a timely manner as required by law, Yahoo misled consumers into continuing to sign up for Yahoo services and products, thus providing Yahoo a continuing income stream and a better chance of finalizing a sale of the company to Verizon,’” Koh wrote in the ruling.
Koh did not rule on the merit of the claims in of themselves, only ruling that they were sufficiently pled to warrant moving forward in the trial.
The next phase will likely involve filing amended complaints to address deficiencies and then pursuing class certification.
There are already different classes based on geographic location and the type of service purchased from Yahoo.
For instance, Yahoo offered online services for small businesses, the users of which form their own class due to the differentiation in the nature of their claims from the more ordinary users of Yahoo platforms.