SAN JOSE, Calif. (CN) – Yahoo must face a raft of civil claims relating to the largest data breach in history, a federal judge ruled late Friday.
U.S. District Court Judge Lucy Koh denied Yahoo’s attempt to dismiss a variety of claims that it failed to protect its users’ data while hiding the nature of its flimsy digital security practices and taking too long to notify customers of the threats to their information.
“The sole argument raised in defendants’ motion to dismiss is unpersuasive,” Koh wrote in the 43-page order issued late Friday.
Koh’s order represents a significant legal defeat for Yahoo, recently purchased by Verizon. In addition to advancing negligence claims, Koh said users can seek punitive damages under California law relating to their claims Yahoo knew it had an inadequate security apparatus, but did little to address it and did not inform users immediately when the hacks occurred.
The judge also chided Yahoo’s legal strategy of blaming its customers for continuing to use its email services after learning of data breaches.
“(Yahoo) also criticize plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of defendants’ allegedly inadequate security,” Koh wrote. “However, defendants fail to acknowledge that defendants’ delayed disclosures are likely to have harmed plaintiffs in the interim.”
The case began in 2016, after a number of plaintiffs sued the web services provider following a disclosure that more than 1 billion email accounts had been hacked three times over a three-year period beginning in 2013.
Discovery has since revealed the estimate was too conservative: all 3 billion users of Yahoo’s various web service platforms were exposed to hackers.
The first hack occurred in 2013, when Yahoo used an encryption technology that was widely acknowledged within the data-security industry to be outdated and inadequate.
Yahoo also failed to alert customers about the breach and when it finally disclosed the cyberattack three years later, it underestimated the scope, according to the plaintiffs.
Hackers hit the company again in 2014, this time using a spear-phishing scheme in which one or more Yahoo executives voluntarily entered usernames and passwords to give hackers access to a vast amount of privileged data.
In 2016, the last hack used the forged-cookie technique. Cookies allow users to stay signed into various websites. Hackers forged cookies through which users unwittingly gave hackers prolonged access to vulnerable data.
All told, Yahoo’s 3 billion users suffered exposure of privileged information including names, email addresses, social security numbers, bank accounts, home addresses, ZIP codes, occupations, birth dates and personal preferences.
Lead plaintiff Kimberly Heines says hackers used information stolen from her Yahoo emails to pilfer her Social Security payments, causing her to fall behind on bills and incur late fees.
New Jersey couple Matthew and Deana Ridolfo say hackers took out several lines of credit in their names, and they spent significant time addressing the fallout from the identity theft besides paying monthly fees for identity theft services.
Several of the other plaintiffs experienced similar issues.
Many of the plaintiffs claim they would have behaved differently had they known in 2013 that their private information had been compromised. They say Yahoo’s failure to promptly disclose the depth and breadth of the hack created direct financial harm.
Koh sided with them at the motion to dismiss stage and advanced the case.
“Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System,” Koh wrote.
U.S. prosecutors have charged four individuals – two Russian intelligence agents and two hackers – in connection with the data breach.
Karim Baratov, a Canadian national hired by the Russian government to perform various hacks, pleaded guilty last November to various computer hacking and conspiracy charges.
Three other suspects, Dmitry Aleksandrovich Dokuchaev, Igor Anatolyevich Sushchin and Alexsey Alexseyevich Belan, remain at large in Russia, according to the U.S. Department of Justice.