Yahoo has agreed to pay $50 million in damages and provide two years of free credit monitoring as restitution for...
its 2013 data breach that affected millions of people and exposed billions of accounts.
This settlement is the result of a lawsuit filed two years ago with the federal courts in response to the Yahoo data breach that spanned from 2013 to 2014, but wasn't disclosed until 2016.
The Yahoo data breach is still the largest breach on record, affecting 3 billion accounts and 200 million people worldwide. The breach exposed the names, email addresses, physical addresses, birthdates and phone numbers of Yahoo users across the globe.
Yahoo is now part of Verizon and is overseen by the telecom's subsidiary Oath. When the Yahoo data breach was revealed during the acquisition process, the buying price was decreased by $350 million. Verizon, as the parent company, will pay for half of the Yahoo settlement, and the other half will be paid by Altaba Inc., the holding company that was set up to hold Yahoo's Asian assets and investments.
In April, Altaba paid the $35 million fine that the Securities and Exchange Commission imposed on Yahoo for not notifying the public about the breach in a timely manner.
The $50 million Yahoo agreed to pay on Monday will fund compensation efforts for small businesses and individuals that incurred costs as a result of the Yahoo data breach, such as identity theft. It will compensate account holders affected by the breach with $25 per hour for the time spent dealing with the breach. Users who paid for a premium Yahoo account will be eligible for a 25% refund.
Yahoo will also cover the costs of free credit monitoring services from the company AllClear ID for two years.
A federal judge still needs to approve the settlement agreement, and a hearing is set with U.S. District Judge Lucy Koh on Nov. 29 in San Jose, Calif.
In other news:
- Security company Check Point Software is buying cloud security startup Dome9. The acquisition will help Check Point bolster its cloud security offerings, as Dome9 enables the adoption of public cloud services on multi-cloud environments. Dome9 helps secure applications running in cloud environments, including AWS, Microsoft Azure and Google Cloud Platform. "This acquisition strengthens Check Point's position as a global leader in cloud security, enhances Check Point's Infinity architecture, and the products join the Check Point CloudGuard family of Cloud Security products," the company wrote in the acquisition announcement. Dome9 has cloud security management, multi-cloud protection, remediation, identity and access management, network visualization, compliance, and enterprise governance capabilities in its arsenal.
- The U.K.'s Information Commissioner's Office (ICO) is fining Facebook 500,000 euros -- approximately $644,000 -- for failing to protect user's personal data during the Cambridge Analytica scandal. The fine is the maximum possible fine in the U.K. and was calculated using the 1998 Data Protection Act. The trouble Facebook ran into with Cambridge Analytica earlier in 2018 was an exposure of up to 87 million users whose personal information was harvested by the now-shutdown firm for use by political campaigns leading up to the 2016 U.S. presidential election and U.K. referendum on Brexit. The ICO has been investigating Cambridge Analytica since the scandal broke. And while the fine is the maximum possible under the 1998 Data Protection Act, it could have been significantly higher -- closer to $22 million -- under GDPR.
- Ron Wyden (D-Ore.) has urged the U.S. Department of Homeland Security to adopt new encryption technologies to stop foreign hackers from having too much insight into the internet activity of Americans. In a letter to DHS Under Secretary for National Protection and Programs Christopher Krebs, Wyden urged DHS to "protect web browsing information about Americans, including U.S. government employees. Metadata revealing specific website visits is currently transmitted over the internet without encryption, leaving it vulnerable to interception and tampering by foreign hackers and cyber criminals." Wyden asked that companies with federal contracts be required to use DNS over HTTPS or DNS over TLS to encrypt the metadata, as well as use Encrypted Server Name Indication. Wyden gave DHS 60 days to respond to his requests.