Yahoo to pay $50M, other costs for massive security breach

FILE- In this July 19, 2016, file photo, flowers bloom in front of a Yahoo sign at the company's headquarters in Sunnyvale, Calif. Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to about 200 million people in the U.S. and Israel whose email addresses and other personal information were stolen as part of the biggest security breach in history. (AP Photo/Marcio Jose Sanchez, File)

SAN FRANCISCO — Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.

The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren't disclosed until 2016.

It adds to the financial fallout from a security lapse that provided a mortifying end to Yahoo's existence as an independent company and former CEO Marissa Mayer's six-year reign.

Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. It then had to discount that price by $350 million to reflect its tarnished brand and the specter of other potential costs stemming from the breach.

Verizon will now pay for one half of the settlement cost, with the other half paid by Altaba Inc., a company that was set up to hold Yahoo's investments in Asian companies and other assets after the sale. Altaba already paid a $35 million fine imposed by the Securities and Exchange Commission for Yahoo's delay in disclosing the breach to investors.

About 3 billion Yahoo accounts were hit by hackers that included some linked to Russia by the FBI . The settlement reached in a San Jose, California, court covers about 1 billion of those accounts held by an estimated 200 million people in the U.S. and Israel from 2012 through 2016.

Claims for a portion of the $50 million fund can be submitted by any eligible Yahoo accountholder who suffered losses resulting from the security breach. The costs can include such things as identity theft, delayed tax refunds or other problems linked to having had personal information pilfered during the Yahoo break-ins.

The fund will compensate Yahoo accountholders at a rate of $25 per hour for time spent dealing with issues triggered by the security breach, according to the preliminary settlement. Those with documented losses can ask for up to 15 hours of lost time, or $375. Those who can't document losses can file claims seeking up to five hours, or $125, for their time spent dealing with the breach.

Yahoo accountholders who paid $20 to $50 annually for a premium email account will be eligible for a 25 percent refund.

The free credit monitoring service from AllClear could end up being the most valuable part of the settlement for most accountholders. The lawyers representing the accountholders pegged the retail value of AllClear's credit-monitoring service at $14.95 per month, or about $359 for two years — but it's unlikely Yahoo will pay that rate. The settlement didn't disclose how much Yahoo had agreed to pay AllClear for covering affected accountholders.

The lawyers for Yahoo's accountholders praised the settlement as a positive outcome, given the uncertainty of what might have happened had the case headed to trial.

Estimates of damages caused by security breaches vary widely, with experts asserting the value of personal information held in email accounts can range from $1 to $8 per account. Those figures suggest Yahoo could have faced a bill of more than $1 billion had it lost the case.

But Yahoo had disputed those damages estimates and noted many of its accountholders submitted false information about their birthdates, names and other parts of their lives when they set up their email.

The lawyers representing Yahoo accountholders have a big incentive to get the settlement approved. Yahoo will pay them up to $37.5 million in fees and expenses if it goes through.

Oath, the Verizon subsidiary that now oversees Yahoo, declined to comment.

A hearing to approve the preliminary settlement is scheduled for Nov. 29 before U.S. District Judge Lucy Koh in San Jose. If approved, notices will be emailed to affected accountholders and published in People and National Geographic magazines.

___

This story has been corrected to read that the settlement was reached in a court in San Jose, California, not San Francisco.

Must Read

The Latest: Kuwait's emir quickly ends troubled...

Dec 5, 2017

Kuwait's emir has quickly ended a troubled summit of the Gulf Cooperation Council amid the ongoing...

Eurozone gets deal to pave way for end to...

Jun 22, 2018

Eurozone nations agreed on the final elements of a plan to get Greece out of its 8-year bailout...

Irish border dispute looms large over the UK-EU...

Oct 15, 2018

Britain and the European Union are stuck on the tricky question of how the Irish border fits into...

Malian extremist pleads guilty to Timbuktu rampage

Aug 22, 2016

An Islamic extremist has pleaded guilty to destroying historic mausoleums in the Malian desert city...

East Timor, Australia open talks on maritime...

Aug 29, 2016

East Timor and Australia have begun conciliation talks in their bitter legal battle to set a...