Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.
Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.
The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.
“There's a sense of violation,” the plaintiffs' lawyer David Casey, of Casey Gerry Schenk Francavilla Blatt & Penfield, told The Register last night.
“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”
Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!
The court filing also states that Yahoo!, which is based in Sunnyvale, California, had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.
“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”
While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.
Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.
Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.
One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.
In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®