A U.S. judge has rejected Yahoo's proposed settlement with millions of people whose email addresses and other personal information were stolen in the largest data breach in history, faulting the internet services provider for a lack of transparency.
In a Monday night decision, U.S. District Judge Lucy Koh in San Jose, California, said she could not declare the settlement "fundamentally fair, adequate and reasonable" because it did not say how much victims could expect to recover.
Yahoo, now part of New York-based Verizon Communications, was accused of being too slow to disclose three breaches from 2013 to 2016 that affected an estimated three billion accounts.
The settlement called for a US$50 million payout, plus two years of free credit monitoring for about 200 million people in the United States and Israel with nearly one billion accounts.
But the judge said the accord did not disclose the size of the settlement fund or the costs of the credit monitoring, and the proposed class may be too big because the number of "active" users that Yahoo disclosed privately to her was far lower.
Koh also said the maximum US$35 million of fees for the plaintiffs' lawyers may be "unreasonably high," saying the legal theories of the case were "not particularly novel."
A lawyer for the plaintiffs did not immediately respond on Tuesday to requests for comment.
Verizon said: "While preliminary approval of the settlement was not granted, we're confident that we can achieve a viable path forward."
Yahoo revealed the full scope of the breaches after having agreed in July 2016 in to sell its internet business to Verizon for US$4.83 billion. The revelations prompted a cut in the purchase price to US$4.48 billion.
U.S. prosecutors charged two Russian intelligence agents and two hackers in connection with one of the breaches in 2017. One hacker later pleaded guilty.
Koh contrasted her decision with her approval last August of health insurer Anthem’s US$115 million settlement over data breaches affecting about 79 million victims.
The judge said Anthem, unlike Yahoo, timely disclosed the breaches, offered free credit monitoring even before settling, and committed to upgrading its data security.
"Yahoo's history of nondisclosure and lack of transparency related to the data breaches are egregious," Koh wrote.
"Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency," she added.
(Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.