Yahoo has struck a revised $117.5 million settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history. The proposed class-action settlement made public on Tuesday was designed to address criticisms of US District Judge Lucy Koh in San Jose, California. She rejected an earlier version of the accord on Jan. 28, and her approval is still required.
Koh said the original settlement was not “fundamentally fair, adequate and reasonable” because it had no overall dollar value and did not say how much victims might expect to recover. She also said the legal fees appeared to be too high.
Yahoo, now part of New York-based Verizon Communications Inc, had been accused of being slow to disclose three data breaches affecting about 3 billion accounts from 2013 to 2016.
The new settlement includes at least USD 55 million for victims’ out-of-pocket expenses and other costs, USD 24 million for two years of credit monitoring, up to USD 30 million for legal fees, and up to USD 8.5 million for other expenses.
It covers as many as 194 million people in the United States and Israel with roughly 896 million accounts.
John Yanchunis, a lawyer for the plaintiffs, in a court filing, called the USD 117.5 million the “biggest common fund ever obtained in a data breach case.” He did not immediately respond to requests for additional comment.
Separately, Verizon agreed to spend USD 306 million between 2019 and 2022 on information security, five times what Yahoo spent from 2013 to 2016. It also pledged to quadruple Yahoo’s staffing in that area.
“The settlement demonstrates our strong commitment to security,” Verizon said in a statement.
Yahoo agreed in July 2016 to sell its internet business to Verizon for USD 4.83 billion. Only later did it reveal the scope of the breaches, prompting a price cut to USD 4.48 billion. Verizon wrote off much of Yahoo’s value in December.
US prosecutors charged two Russian intelligence agents and two hackers in connection with one of the breaches in 2017. One hacker later pleaded guilty.