SAN JOSE, Calif. (CN) – The case involving the largest data breach in the history of the internet appeared to finally be nearing its conclusion Thursday, after a federal judge indicated that she would approve a settlement between Yahoo and users whose emails may have been hacked.
Yahoo has agreed to pay $117 million to users whose emails may have been breached annually from 2012 through 2016.
Koh refused the first motion for approval of preliminary settlement in the case after she deemed the dollar amount too low and said the attorney’s fees were too high, particularly given the amount of work on the case compared to others of a similar nature.
The new settlement sets aside at least $55 million for victims’ out-of-pocket expenses and other costs, $24 million for two years of credit monitoring, up to $30 million for legal fees, and up to $8.5 million for other expenses.
“I don’t think we have to hold another hearing,” Koh said toward the end of an exhaustive hearing in San Jose Federal Court on Thursday.
Despite leaning towards approval, Koh was stern with both sides regarding aspects of the settlement that she felt were incomplete or misleading.
In the notice to class members, lawyers only referred to a partial list of the data breaches Yahoo suffered between 2012 and 2016.
“I’ve never seen a notice like this before,” Koh said.
“My impression is that Yahoo doesn’t want to disclose they were breached every year during the period, but that’s what happened here and unless it’s made clear I’m not going to approve it,” she added. “People should know what happened and when.”
John Yanchunis, attorney for the plaintiffs, said both parties would work to make the notice clearer.
“It was not the intent to hide anything,” he said.
The class could include as many as 194 million people — mostly residents of the U.S. and Israel — and affect approximately 900 million accounts. Initial reports have indicated the series of breaches may have affected as many as 3 billion accounts.
Separately, Verizon, which purchased Yahoo in 2016 soon after the largest breach was disclosed, pledged to spend around $306 million to beef up the company’s data security operation. The company also promised to quadruple security staff.
Koh demanded that the new and clearer noticing be submitted by July 11, which will kick start the preliminary approval process, with final approval tentatively slated for April 2020.