Yahoo Sued For Gross Negligence Over Huge Hacking

Yahoo apparently took two years to investigate and tell people that its service had been breached, and that over 500 million users were affected. Amid the announcement, a user is suing Yahoo, accusing the company of gross negligence. From a Reuters report: The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor." Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages. A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation. The attack could complicate Chief Executive Marissa Mayer's effort to shore up the website's flagging fortunes, two months after she agreed to a $4.8 billion sale of Yahoo's Internet business to Verizon Communications. Yahoo on Thursday said user information including names, email addresses, phone numbers, birth dates and encrypted passwords had been compromised in late 2014.

Not good enough

[Anonymous Coward]

When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. It doesn't solve the problem, either, because these are usually settles to the benefit of the lawyers. Instead, the executives and any managers who were behind this negligence need to spend some serious time in prison. Yes, that includes Marissa Mayer, who needs to be behind bars for the awful way her company handled the breach. I despise the Russian hackers, who deserve to be on the receiving end of vigilante justice. However, there also needs to be some lengthy jail sentences for plenty of people at Yahoo. It's also time that companies like Yahoo that do this have to pay serious restitution to everyone on the receiving end of such a breach, enough so to put the company out of business (that shouldn't be hard in Yahoo's case).

Re:

[hcs_$reboot]

While this is true, that will never happen. Not within the next 10 years at least.

Re:Not good enough

[JaredOfEuropa]

I join you in your moral outrage, but... does the law (US law or otherwise) even have a provision for such negligence? Also, what is it we want to see punished? Lax security? That sounds fine until you realise every guy with a message board will be on the hook as well: not everyone is a security expert (or even a half decent webadmin), and certainly not everyone can afford to hire one.

What I certainly would like to see punished is the very very late disclosure of the breach. Starting this year, companies in the Netherlands are obliged to disclose data breaches. Fines for non compliance go up to €500k for simple cases; for more serious cases the fine is capped at 10% of net yearly turnover. It's a start... the law applies only if sensitive information was leaked such as names, dates of birth, addresses, medical info, etc. It doesn't cover username / password. Also, the company discloses the breach to the authorities, not their customers; the authorities may force the company to inform their customers as well though.

Re:

[drinkypoo]

What I certainly would like to see punished is the very very late disclosure of the breach. Starting this year, companies in the Netherlands are obliged to disclose data breaches. Fines for non compliance go up to â500k for simple cases; for more serious cases the fine is capped at 10% of net yearly turnover. It's a start...

No, it isn't. If loss of the company is not a potential reality for a breach, then it's not a start. It's just wankery.

Re:

[Anonymous Coward]

"When you're this negligent with your security, a simple class action lawsuit for damages won't suffice. "

Take a good look at the Lawyers involved...
They don't take on trivial cases.
They win.
They get huge settlements.

And don't think for a minute that "Ronald Schwartz" just waltzed into the Law Offices with a grudge. There will be other suits filed all over the country Very Soon Now, by other "Chosen" Plaintiffs, just to get this all rolled into one Big Hairy Juicy Class Action Law Suit. Possibly the biggest

Re:Not good enough

[MoarSauce123]

Worse even, If Yahoo is convicted and has to pay damages it will be less expensive than implementing proper safeguards. As long as breaches are cheaper than security not much will happen.

Re: Not good enough

[thundercattt]

I remember reading the same /. article it's cheaper to run the status quo, get hacked than to keep upto date on security.

Re:

[Anonymous Coward]

Here is the problem - data breaches are so common in large companies that it is difficult to fault a specific company for negligent behavior. If everyone is negligent using current technology then there is no fault involved. You remind me of managers who believe if they simply demand, threaten, cajole, reward, etc, their programmers to work harder then software projects will be ready sooner. Threatening corporate managers with jail does not improve technology.

Re:

[HiThere]

It's not using current technology that's the problem, it's that without unsafe methods you can't do remote administration, and it's more expensive to get someone to come in when you need to update the system. It's rather like a lot of the bugs that depend on bios flaws wouldn't be a problem is the bios couldn't be updated without throwing a local switch. And a lot of the complexity is mandated by marketing needs, not by technology.

It's my suspicion that a really safe network would be much cheaper, but thi

Re:

[ShanghaiBill]

the executives and any managers who were behind this negligence need to spend some serious time in prison.

This reminds me of the old adage: "We build prisons for people we are afraid of, and then we fill them up with people we are mad at".

Prisons are to segregate people that are physically dangerous from civilized society. For other people, there are always better alternatives. For instance, Marissa could spend the next 5 years changing bedpans in hospitals while wearing an ankle bracelet.

America imprisons far more people per capita than other countries. Far more than Russia, four times as many as China, 15

Priorities are priorities

[93 Escort Wagon]

Marissa couldn't realistically investigate any faster than that. After all, she was busy tweaking the kerning for the updated company logo.

Disclosure 2 years later wait what?

[Anonymous Coward]

2 YEARS later and likely only due to a condition on the merger so that Verizon doesn't have to accept the responsibility of eventual disclosure. Same shit different year. Good riddance to bad rubbish. Yeah you really turned that company around doll. Congrats for running it into the ground, not like it wasn't headed in that direction anyway, now you just get to be the fall girl. I'm sure she'll land on some soft pillows thanks to that golden parachute.

No trouble for the pending sale.

[williamyf]

Remember, yahoo is selling the CORE ASSETS, but Yahoo (the company) will still exist, as a placeholder for Alibaba and YAhoo! Japan shares. So, is Yahoo (the company) that is still liable for the breach, not verizon. If push comes to shove, Yahoo can sign a MoU stating that is it, and not Verizon, the one who will carry all the brunt of the hack (lawsuits, fines, reparations, costs and any other thing derived from this hack).

The alibaba, yahoo japan and any other assets in this company shall be enough to cover that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Cheaper to get hacked than do security maintena

[h33t l4x0r]

It's not about that. The initial hack could have been anything from a 0day to a 5 year old exploit - you don't know and that's not the issue anyway. The issue is that they didn't tell anybody about it for 2 years. Users need to know that their passwords are compromised because they often will (for example) use the same password for online banking.

Re:Cheaper to get hacked than do security maintena

[JaredOfEuropa]

pre-ITIL cowboy days

Are things a lot better post-ITIL? In my experience ITIL has made things a lot more predicable... most often predictably awful. Not that I blame ITIL for that; that's like blaming your hammer for the shoddy birdhouse you built. It's more like a crutch: people think "if we all do what it says in this book, we'll do better". In terms of business outcomes I have not found that to be true very often.

Re:

[Zedrick]

> Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than
> to do any proactive security maintenance. This works in a number of ways.

Uh, that's not the right lesson to draw from this. If customers gets hacked because they are running out of date CMSes, it's their fault. It's also their fault if it's not working because they have outdated crap that's incompatible with modern php-versions. But if you neglected to update php, and the customers gets hac

Re:

[freeze128]

Firstly, when you eventually get hacked IT IS NOT YOUR FAULT.

It's not your fault *THE FIRST TIME*. However, if you get hacked again after implementing fixes, it certainly IS your fault. It's cheaper to do nothing, but when you get hacked, you must do something, and it must be something to implement better security, and notify your users. Taking TWO FUCKING YEARS is way too long.

Re:

[HiThere]

PHP? It's been my impression that right there you have identified one of the main security problems with your system.

FWIW, any rapid changeover is going to introduce its own costs and problems, but it is possible to write secure software which will generally pay for itself over time. Just not in the next quarter, or probably the next year. And you need to do decent Q/A testing before releasing the software. You still won't catch everything, but with the right design exploits won't propagate from module

Seems fair

[melting_clock]

Gross negligence is accurate enough when a company allows data on 500 million customers to be hacked and then fails to notify those customers for 2 years. Choosing to keep this from customers achieves little more than proving the company cannot be trusted. This should have been handled better.

Fixing the problems, then disclosing the breach and taking immediate action to protect customers would be the action of a responsible and trustworthy company.

This is going to cost them customers and reduce the value of the company. Not an ideal situation for anyone about to buy it...

Closed my account with Yahoo.

[asjk]

It was one of my earliest memberships on www.

Good luck getting around the mandatory arbitration

[schwit1]

"Important Notice: This agreement is subject to binding arbitration and a waiver of class action rights ..."

Verizon takeover

[um... Lucas]

I'm behind the eight ball on this... Has Verizon made any mention of if they're still as eager to buy yahoo, since it could potentially expose them to this new liability that probably wasn't included for when they made their offer? Thinking of what happened to BoA when buying CountryWide Mortgage, for instance...

Par for the course for Ms. Mayer

[OneHundredAndTen]

She is a perfect example of an individual who owes everything to timing - she happened to be at the right place, at the right time. She is pretty useless.

Am I the only one...

[tacarat]

... that thinks "state sponsored" means enough time and resources got thrown at this to make even exemplary security meaningless? They could have simply bribed some sysad that was getting fired/quitting anyway to go in, plug in a USB, and leave. Before slamming their IT staff, remember Kevin Mitnick.

Surprising reaction from a supposedly tech site

[Cytotoxic]

Do we know anything about what was "lax" at yahoo? I certainly doubt that the lawyers involved in this have the slightest clue if there was any negligence at all involved. Their calculus is "wow, millions of accounts compromised. Let's go class action!

And then I read through the comments here, and there is indignation at such weak security and lax procedures and they shouldn't just be sued they should all be taken out and shot and big corporations are teh evil!!

What we do know is that the hackers targeti