John Yanchunis Is Lead Counsel in Yahoo Data Breach Case attorney John A. Yanchunis will serve as Lead Counsel on the largest class action lawsuit in history—the Yahoo data breach that allegedly compromised the private data of hundreds of millions of people around the world.

In an order filed Thursday, February 9, 2017 in the Northern District of California, U.S. District Judge Lucy H. Koh appointed John A. Yanchunis of Morgan & Morgan and to serve as Lead Plaintiffs’ Counsel and Chair of the Plaintiffs’ Executive Committee.

Read the Order

Four firms filed motions to serve as lead counsel: Morgan & Morgan, Kaplan Fox & Kilsheimer LLP, Kessler Topaz Meltzer & Check LLP, and Susman Godfrey LLP. At a hearing in San Jose before Judge Koh made her decision, Mr. Yanchunis argued that a large firm of Morgan & Morgan’s stature—with more than 300 attorneys at its disposal—would be the best choice to take on a case of such magnitude.

At a press conference Saturday, Mr. Yanchunis said, “Morgan & Morgan is the biggest law firm of its type in the country. We have the legal talent and financial strength to take on anyone in this country.”

Mr. Yanchunis also noted that Morgan & Morgan (motto: “For the People”) only represents consumers, and never large companies.

Yahoo’s 2013 data breach (announced last year) compromised the data of roughly one billion users. A separate breach in 2014 compromised the data of 500 million users.

Mr. Yanchunis said Saturday that the lawsuit will represent everyone in the world whose data was breached.

Yanchunis Heads Five-Person Executive Committee

The other firms that filed motions to serve as lead counsel argued that the case was not as complex as it appeared, despite its mammoth size. They also claimed that a single firm should work the case, instead of the committee of firms helmed by Mr. Yanchunis.

Judge Koh thought they made “excellent points,” but ultimately disagreed.

Joining Mr. Yanchunis on the Executive Committee are Gayle Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP, Stuart Davidson of Robbins Geller Rudman & Dowd LLP, Karen Riebel of Lockridge Grindal Nauen PLLP, and Ariana Tadler of Milberg LLP.

As Lead Counsel and the Plaintiffs’ Executive Committee, Mr. Yanchunis and the abovementioned attorneys must review and record all billing records and “impose and enforce limits on the number of lawyers assigned to each task,” among other key duties.

Lawsuit Seeks Tighter Security, Hundreds of Millions in Damages

At the press conference, Mr. Yanchunis cited the long gap between the breaches and their announcement as one of the most concerning aspects of Yahoo’s actions.

“Those breaches either remained undetected or Yahoo failed to inform the public [for years].”

“What’s alarming about this is that the first breach occurred in 2014, but Yahoo did not announce it until September of 2016,” Mr. Yanchunis said. “The breach announced in December occurred in 2013. And yet, those breaches either remained undetected, or Yahoo failed to inform the public about the breaches.”

He also noted that most states have laws on the books requiring companies to inform consumers of data breaches within 30 days of discovering them.

Mr. Yanchunis said the lawsuit will seek stronger cybersecurity measures from Yahoo “to make sure that this never happens again.” Moreover, for those who suffered financial losses as a result of the breach, the lawsuit will seek damages.

Asked how much those damages might total, Mr. Yanchunis said it’s too early to say, but likely in the hundreds of millions of dollars.

“It will be extensive,” he said.

Experience with High-Profile Breaches Proved Crucial

In determining whom to name Lead Counsel for the largest class action ever, Judge Koh weighed the following chief criteria:

  • “Knowledge and experience in prosecuting complex litigation, including class actions, data breach, and/or privacy cases”
  • “Willingness and ability to commit to a time-consuming process”
  • “Ability to work cooperatively and efficiently with others”
  • “Access to sufficient resources to prosecute the litigation in a timely manner”
  • “Commitment to prioritizing the interests of the putative class”

The first criterion, experience, may have clinched the win for Mr. Yanchunis. He and Morgan & Morgan previously litigated two massive data breach cases—the Home Depot Inc. and Target Corp. cases. Those lawsuits were settled for $19 million (Home Depot) and $10 million (Target), respectively.

Now Mr. Yanchunis and his team will take on the biggest breach of all, and aim to hold Yahoo accountable for allegedly endangering the privacies and identities of hundreds of millions of people. Attorneys File Data Breach Lawsuit Against Yahoo

Less than a week after Yahoo announced that a 2014 data breach had compromised the private information of 500 million users—and two months before Yahoo said that a separate 2013 breach had endangered the data of 1 billion attorneys filed a negligence lawsuit against the tech giant for failing to protect and inform consumers.

Lead plaintiff Edward McMahon filed the lawsuit in the Northern District of California on behalf of himself and all others similarly situated, leaving the door open for a class action.

The complaint argues that Yahoo failed to safeguard its users’ personal information: names, email addresses, passwords, phone numbers, security questions and answers, etc.

Read the Complaint

It also says that Yahoo did not provide timely, accurate, or adequate notice of the data breach, and alleges breach of implied contract and violation of the California Unfair Competition Law, Business & Professions Code.

“It’s inconceivable that Yahoo either failed to detect the breach for two years,” said attorney John Yanchunis, “or it knew of the breach in 2014 and intentionally disregarded the privacy interests of consumers and breach notification laws by failing to inform consumers of the breach for two years.”

Yahoo Breach Could Have Major Aftershocks

Cyber-security experts say the Yahoo breach could trigger a chain reaction in which tens or even hundreds of thousands more accounts are hacked.

Matt Blaze, a security researcher at the University of Pennsylvania, tweeted that “data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters.”

These types of mega-breaches don’t just stop at the site that was breached, because the hackers now have vital information that can grant them access to other sites as well.

Hackers may use the passwords obtained in the Yahoo breach on other sites, gaining access to some of these accounts, too. Even if just 0.1% of the 500 million passwords work elsewhere, that would equal another 500,000 breaches.

And, as Mr. Yanchunis notes, while many Yahoo users may not actively use their breached Yahoo accounts, that does not mean they closed those accounts prior to 2014—which means their information was still there for the taking.

“The ramifications of this breach may be extremely devastating,” Mr. Yanchunis said.

How to Protect Yourself from Data Breaches

The complaint alleges that the lead plaintiff in the case, Edward McMahon, has noted suspicious activity on his Yahoo accounts, including not being able to access his accounts. He believes the hackers changed his passwords.

Mr. McMahon “has very important sensitive information in his emails that he… believes have been accessed,” according to the complaint.

If your personal information was compromised in the Yahoo data breach, the first thing you should do is change your passwords (Yahoo and others). Make sure they are all strong and unique. Other tips for protecting your data:

  • Enable multi-step verification whenever possible
  • Don’t recycle passwords across sites
  • Use apps like LastPass to store complex, hard-to-crack passwords
  • Check Have I Been Pwned? to determine if/when you’ve been hacked

If you have suffered financial or reputational harm as a result of a data breach, contact us immediately to explore your legal options. You may qualify for a data breach lawsuit.

Data Breaches Sharply On the Rise in 2016

It’s only April, but 227 data breaches have already exposed more than 6.2 million records this year, according to the Identity Theft Resource Center (ITRC). The number of breaches is 10% higher compared to this time last year, when there were 781 breaches exposing more than 169 million records.

A data breach occurs when an unauthorized person (hacker) gains access to confidential information for personal or political gain. Data breaches frequently lead to identity theft and financial losses. They have become increasingly common over the past several years, to the dismay of consumers.

Fight Back

The most notable breach this year (so far) involved fast food giant Wendy’s, which discovered malware on several locations’ systems. Many customers reported suspicious activity on the credit and debit cards they used at these locations. An Orlando man then filed a class action lawsuit against Wendy’s after his card was used by a thief for nearly $600 worth of purchases.

Krebs on Security reports that the financial losses sustained by credit unions from the Wendy’s breach will exceed that of the recent high-profile Target and Home Depot breaches. One credit union CEO hypothesized that the losses could be five to ten times higher than those incidents’.

Krebs also noted that one credit union is already halfway to its average annual total in fraud losses: another terrible omen for consumer security in 2016.

Over 100 Million Records Exposed Abroad

Data breaches are a growing crisis not just in the U.S. but abroad. Last week, a hacker exposed data on 50 million Turkish citizens, including their dates of birth, addresses, and the Turkish equivalent of social security numbers. He appears to have acted for political reasons, based on the following statements:

Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure? Do something about Erdogan! He is destroying your country beyond recognition.

The hacker also said “we” shouldn’t elect Donald Trump, who “sounds like he knows even less about running a country than Ergodan does,” suggesting the hacker is American.

This incident is one of the largest data breaches in history. The 50 million citizens account for more than half of Turkey’s entire population.

Incredibly, last week also saw a breach of the Philippines’ Commission on Elections (COMELEC), which exposed the data of 55 million voters. The “hacktivist” group Anonymous was supposedly responsible, as it warned the Filipino government to shore up its cyber-security in March.

Both the Turkish and Filipino governments downplayed the breaches, saying nothing of significance was stolen or revealed to the public.

Companies Pay Millions to Settle Data Breach Lawsuits

These data breaches can cost companies millions. When a company fails to exercise reasonable care in protecting their customers’ information, and a breach occurs, affected consumers may be able to file a class action suit against the company.

File a Lawsuit

For example, Home Depot agreed to pay $19.5 million to consumers after its data breach: $13 million to reimburse shoppers for losses and $6.5 million toward identity protection services. Theirs is just one of many multimillion-dollar settlements that have been reached after large-scale data breaches:

  • Sony (PlayStation network breach): $15 million
  • Target: $10 million
  • Sony (employee information breach): $8 million
  • Stanford University Hospital and Clinics: $4.1 million
  • AvMed Inc.: $3.1 million
  • Vendini: $3 million
  • Schnuck Markets: $2.1 million
  • LinkedIn: $1.25 million

In general, companies much prefer settling cases out of court versus going to trial. But that is especially true with data breach lawsuits, because there is almost no court precedent for these kinds of cases. Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.

Neiman Marcus Ruling Bodes Well for Data Breach Suits

That fear was heightened last summer when a panel of judges ruled that the Neiman Marcus data breach lawsuit (which had previously been thrown out) could proceed. The panel determined that it was reasonably likely that the plaintiffs would suffer injuries from the theft of their personal and financial data.

It’s a significant ruling because it means that the potential for theft or financial loss is legitimate grounds for a suit, even if said theft or loss has yet to occur. In other words, the Neiman Marcus case bodes well for the plaintiffs in current and future data breach lawsuits.

The Best Firm for Data Breach Victims

Our attorneys are currently investigating exactly these kinds of lawsuits. At Morgan & Morgan, we are dedicated to helping consumers hold companies accountable for these invasive data breaches. We have a long and successful history of battling large corporations—and winning. Against Big Tobacco, we won $90 million in verdicts and settlements.

If your credit card information, social security number, or other private information was stolen as a result of a data breach, we would like to hear from you. For a free consultation, complete a free, no-obligation case review today.