SAN JOSE, Calif. (CN) – A federal judge derided a settlement related to the biggest data breach in the history of the internet as inadequate Thursday, but said she remains undecided about whether to grant approval.
U.S. District Court Judge Lucy Koh said a $117 million settlement between Yahoo and a huge class of up to 3 billion people was insufficient.
“I know both parties are highly motivated to get the settlement approved, but I have concerns,” Koh said during a contentious hearing Thursday. “I have not been able to figure out the total estimated sum. It is very vague. One of the vaguest I’ve read.”
While public announcements pegged the settlement figure at $50 million plus credit monitoring services, lawyers for both sides accidentally disclosed the total figure during the hearing: $117.5 million.
“This is a much worse settlement than Anthem,” Koh said later, referring to an earlier data breach case involving a much smaller class that was settled for $115 million.
Koh questioned whether $35 million in class attorney fees is necessary, asked why only seven people were deposed, chastised the plaintiffs for their seeming lack of curiosity about whether highly placed executives like former CEO Marissa Mayer knew of the breaches and whether there were other intrusions into Yahoo’s user database prior to the ones disclosed in the case.
“I’m disappointed that there doesn’t seem to be any motivation to get to the bottom of this,” Koh said. “It appears there’s a willful blindness or an attitude of ‘Let’s settle this and get out.’ The motivation of this lawsuit should be to find out the full extent of the potential damage and alert users so they can take precautions like shutting down bank accounts or getting new credit cards.”
Part of Koh’s frustration stemmed from the expert testimony of Mary France, an expert witness for the plaintiffs who said the information security practices at Yahoo earlier this decade might have allowed data breaches prior to the large one in 2013.
Yahoo attorney Anne Marie Mortimer said there was no evidence of a breach prior to the ones already disclosed – including one in August 2013 that Yahoo believes may have affected all 3 billion of its users at the time.
“The expert expressed concerns there were vulnerabilities earlier, but there was no proof that any breach happened,” she said.
Koh was also miffed the proposed settlement contains no specific requirements about how Yahoo responds to future security breaches, particularly as the plaintiffs argued high-level executives knew about security vulnerabilities but elected not to spend money on more robust measures for financial reasons.
Such provisions went into the Anthem settlement, Koh noted.
“The conduct of Yahoo in this case was more egregious because the company knew data breaches occurred, but withheld information from users – likely to make sure the sale to Verizon happened,” Koh said. “Anthem came clean immediately and gave credit monitoring to those affected. They didn’t have to get sued to give credit monitoring.”
Credit monitoring is part of the proposed Yahoo settlement, but Koh asked why it reimburses for only 15 hours of the time they spend dealing with identity theft.
“The compensation is designed to take into account extensive damage to users, but there has to be a cap,” said John Yanchunis, attorney for the plaintiffs. “There’s only $50 million.”
Both lawyers claimed comparisons to the Anthem case were off base, saying the Anthem breach – which included the theft of about 37.5 million medical records – was different because the information contained Social Security numbers and private medical information.
“There was no financial information or Social Security information in the Yahoo user database,” Mortimer said, adding the Yahoo breach involved email addresses, databases, encrypted passwords and answers to security questions.
But Koh noted the thieves who stole from Yahoo sold the information on the dark web for exorbitant sums and that emails could have contained financial information or Social Security numbers.
Mortimer said Yahoo used bitcoin to buy back the stolen information from the thieves “out of an abundance of caution,” but also said some buyers passed because the data was considered too old to be valuable.
In an earlier hearing, Koh said she takes her responsibility to protect settling class members seriously and has withheld approval from other major settlements.
She will decide on approval of the settlement in the coming weeks.