A US court has nixed Yahoo!'s attempt to settle a class-action lawsuit over the 2013 megahack, saying it's fatally flawed.
Judge Lucy Koh of the California Northern District in San Jose ruled [PDF] that a settlement proposed in October of 2018 was not acceptable, particularly in regards to the share of attorney fees and the opaque nature of the proposed payout for victims.
Koh pointed out that the settlement appears to earmark a whopping $35m in payments for attorney fees that include a number of law firms and attorneys who weren't even authorized to work on the case.
"By the Court’s count, Plaintiffs’ lodestar [fee calculation] covers 143 attorneys from 32 firms," Koh noted.
"This Court only authorized five law firms to work on the instant MDL case. On February 1, 2018, the Court ordered “[o]ther that the Plaintiffs’ Executive Committee, no other law firms shall work on this MDL without prior approval of the Court."
Additionally, the deal calls for the fees to be held separate from the fund, meaning any unclaimed cash would be handed back to Yahoo! instead of the customers. This, again, reeks of a deal that has the interests of Yahoo! and the lawyers in mind, rather than the actual plaintiffs.
Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn!READ MORE
To really rub it in, the settlement would have prevented others from being able to continue the suit based on separate but related claims about prior data breaches, even if Yahoo! paid off the individuals named in the lawsuit.
Among the holes the judge shot in the proposed deal was a lack of accounting for exactly how much money would go into the settlement and how the various costs were adding up. She notes that no total figure was presented for the settlement, and that the deal doesn't explain how the costs for credit monitoring service, administration of the settlement payouts, or service of notices would be calculated. Without that information, Koh says, it is impossible to decide if the customers are getting a fair deal.
Judge Koh summarised an expert report into Yahoo!'s security practices, commissioned by the claimants, as saying:
The report shows repeated failures to follow industry-standard security practices, extensive knowledge of ongoing security breaches beginning in 2008 with failure to adequately respond, failure to provide adequate staffing and training, and failure to comply with industry standard regulations.
The expert, Mary Frantz, also reportedly found "several incidents prior to 2013" that "involved several million accounts". ®