Attorneys File Data Breach Lawsuit Against Yahoo

Less than a week after Yahoo announced that a 2014 data breach had compromised the private information of 500 million users—and two months before Yahoo said that a separate 2013 breach had endangered the data of 1 billion attorneys filed a negligence lawsuit against the tech giant for failing to protect and inform consumers.

Lead plaintiff Edward McMahon filed the lawsuit in the Northern District of California on behalf of himself and all others similarly situated, leaving the door open for a class action.

The complaint argues that Yahoo failed to safeguard its users’ personal information: names, email addresses, passwords, phone numbers, security questions and answers, etc.

Read the Complaint

It also says that Yahoo did not provide timely, accurate, or adequate notice of the data breach, and alleges breach of implied contract and violation of the California Unfair Competition Law, Business & Professions Code.

“It’s inconceivable that Yahoo either failed to detect the breach for two years,” said attorney John Yanchunis, “or it knew of the breach in 2014 and intentionally disregarded the privacy interests of consumers and breach notification laws by failing to inform consumers of the breach for two years.”

Yahoo Breach Could Have Major Aftershocks

Cyber-security experts say the Yahoo breach could trigger a chain reaction in which tens or even hundreds of thousands more accounts are hacked.

Matt Blaze, a security researcher at the University of Pennsylvania, tweeted that “data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

These types of mega-breaches don’t just stop at the site that was breached, because the hackers now have vital information that can grant them access to other sites as well.

Hackers may use the passwords obtained in the Yahoo breach on other sites, gaining access to some of these accounts, too. Even if just 0.1% of the 500 million passwords work elsewhere, that would equal another 500,000 breaches.

And, as Mr. Yanchunis notes, while many Yahoo users may not actively use their breached Yahoo accounts, that does not mean they closed those accounts prior to 2014—which means their information was still there for the taking.

“The ramifications of this breach may be extremely devastating,” Mr. Yanchunis said.

How to Protect Yourself from Data Breaches

The complaint alleges that the lead plaintiff in the case, Edward McMahon, has noted suspicious activity on his Yahoo accounts, including not being able to access his accounts. He believes the hackers changed his passwords.

Mr. McMahon “has very important sensitive information in his emails that he… believes have been accessed,” according to the complaint.

If your personal information was compromised in the Yahoo data breach, the first thing you should do is change your passwords (Yahoo and others). Make sure they are all strong and unique. Other tips for protecting your data:

  • Enable multi-step verification whenever possible
  • Don’t recycle passwords across sites
  • Use apps like LastPass to store complex, hard-to-crack passwords
  • Check Have I Been Pwned? to determine if/when you’ve been hacked

If you have suffered financial or reputational harm as a result of a data breach, contact us immediately to explore your legal options. You may qualify for a data breach lawsuit.

Data Breaches Sharply On the Rise in 2016

It’s only April, but 227 data breaches have already exposed more than 6.2 million records this year, according to the Identity Theft Resource Center (ITRC). The number of breaches is 10% higher compared to this time last year, when there were 781 breaches exposing more than 169 million records.

A data breach occurs when an unauthorized person (hacker) gains access to confidential information for personal or political gain. Data breaches frequently lead to identity theft and financial losses. They have become increasingly common over the past several years, to the dismay of consumers.

Fight Back

The most notable breach this year (so far) involved fast food giant Wendy’s, which discovered malware on several locations’ systems. Many customers reported suspicious activity on the credit and debit cards they used at these locations. An Orlando man then filed a class action lawsuit against Wendy’s after his card was used by a thief for nearly $600 worth of purchases.

Krebs on Security reports that the financial losses sustained by credit unions from the Wendy’s breach will exceed that of the recent high-profile Target and Home Depot breaches. One credit union CEO hypothesized that the losses could be five to ten times higher than those incidents’.

Krebs also noted that one credit union is already halfway to its average annual total in fraud losses: another terrible omen for consumer security in 2016.

Over 100 Million Records Exposed Abroad

Data breaches are a growing crisis not just in the U.S. but abroad. Last week, a hacker exposed data on 50 million Turkish citizens, including their dates of birth, addresses, and the Turkish equivalent of social security numbers. He appears to have acted for political reasons, based on the following statements:

Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure? Do something about Erdogan! He is destroying your country beyond recognition.

The hacker also said “we” shouldn’t elect Donald Trump, who “sounds like he knows even less about running a country than Ergodan does,” suggesting the hacker is American.

This incident is one of the largest data breaches in history. The 50 million citizens account for more than half of Turkey’s entire population.

Incredibly, last week also saw a breach of the Philippines’ Commission on Elections (COMELEC), which exposed the data of 55 million voters. The “hacktivist” group Anonymous was supposedly responsible, as it warned the Filipino government to shore up its cyber-security in March.

Both the Turkish and Filipino governments downplayed the breaches, saying nothing of significance was stolen or revealed to the public.

Companies Pay Millions to Settle Data Breach Lawsuits

These data breaches can cost companies millions. When a company fails to exercise reasonable care in protecting their customers’ information, and a breach occurs, affected consumers may be able to file a class action suit against the company.

File a Lawsuit

For example, Home Depot agreed to pay $19.5 million to consumers after its data breach: $13 million to reimburse shoppers for losses and $6.5 million toward identity protection services. Theirs is just one of many multimillion-dollar settlements that have been reached after large-scale data breaches:

  • Sony (PlayStation network breach): $15 million
  • Target: $10 million
  • Sony (employee information breach): $8 million
  • Stanford University Hospital and Clinics: $4.1 million
  • AvMed Inc.: $3.1 million
  • Vendini: $3 million
  • Schnuck Markets: $2.1 million
  • LinkedIn: $1.25 million

In general, companies much prefer settling cases out of court versus going to trial. But that is especially true with data breach lawsuits, because there is almost no court precedent for these kinds of cases. Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.

Neiman Marcus Ruling Bodes Well for Data Breach Suits

That fear was heightened last summer when a panel of judges ruled that the Neiman Marcus data breach lawsuit (which had previously been thrown out) could proceed. The panel determined that it was reasonably likely that the plaintiffs would suffer injuries from the theft of their personal and financial data.

It’s a significant ruling because it means that the potential for theft or financial loss is legitimate grounds for a suit, even if said theft or loss has yet to occur. In other words, the Neiman Marcus case bodes well for the plaintiffs in current and future data breach lawsuits.

The Best Firm for Data Breach Victims

Our attorneys are currently investigating exactly these kinds of lawsuits. At Morgan & Morgan, we are dedicated to helping consumers hold companies accountable for these invasive data breaches. We have a long and successful history of battling large corporations—and winning. Against Big Tobacco, we won $90 million in verdicts and settlements.

If your credit card information, social security number, or other private information was stolen as a result of a data breach, we would like to hear from you. For a free consultation, complete a free, no-obligation case review today.