Hours after Yahoo announced that another massive data breach—reportedly perpetrated by an “unauthorized third party”—compromised the personal data of more than one billion user accounts, a proposed class action has been filed against the company alleging the hack was the result of its “failure to maintain adequate security measures and timely security breach notifications.” The 17-page lawsuit further claims that users’ data remains vulnerable, and that because of the company’s alleged security shortcomings consumers have had to, at their own expense, take extra precautionary measures to try to protect their sensitive information.
Despite Yahoo’s assurances, the lawsuit alleges, the company has “failed, and continued to fail, to provide adequate protection of its users’ personal and confidential information." More egregiously, the lawsuit continues, “Yahoo failed to provide sufficient and timely notice or warning of potential and actual cybersecurity breaches to its users so as to mitigate the users’ risks.”
This data breach, which occurred in August 2013 and is referred to in the complaint as “Security Incident II,” is supposedly not linked to the hack announced in September 2016. Yahoo, however, stated that they “have connected some of this activity to the same state-sponsored actor believed to be responsible for Security Incident I.”
The plaintiff, a Yahoo user for more than a decade, claims she incurred damage from both of the security incidents, which are considered by cybersecurity professionals to be two of the largest and wide-reaching data breaches in history.
While Yahoo said it believes only passwords and security question answers were stolen in Security Incident II, cybersecurity experts anticipate that the fallout from this just-announced hack could be catastrophic, since many consumers tend to use the same security answers and passwords across multiple platforms.
The lawsuit seeks to cover a proposed class of individuals in the United States who maintained an account, at any time, with Yahoo within the last four years that was vulnerable to cybersecurity breaches.
This lawsuit, filed in California district court, comes while the ink is still drying on almost two dozen previous class actions filed over “Security Incident I” and how Yahoo handled notifying its users of the hack.