Back in 2016, Yahoo announced that all 3 billion of its customers’ accounts had their login information stolen. Not only that, but Yahoo took three years to tell the public about the potentially state-sponsored data breach. (If you don’t remember the story, check out the Breach podcast.)
It was initially estimated that the once glorious Yahoo, which is now part of Verizon, would end up paying up to $85 million to settle the class action lawsuit levied against it by angry users. That hefty fee included $50 million for compensation for up to 200 million affected users plus another $35 million for lawyers’ fees and expenses.
Turns out that may not have been enough. Now, per Bloomberg, Judge Lucy Koh in the U.S. District Court for the Northern District of California, has ruled that the original settlement was not “fundamentally fair, adequate and reasonable.” The parties came back with an increased settlement amount that Yahoo owes its customers.
The new settlement amount includes at least $55 million for victims’ out-of-pocket expenses and other costs, plus $24 million for two years of credit monitoring, up to $30 million assigned to legal fees. A further $8.5 million was set aside in the settlement for other expenses. It covers as many as 194 million people in the United States and Israel with roughly 896 million accounts.
The result is “the biggest common fund ever obtained in a data breach case,” Reuters reports, which would seem appropriate for the largest known data breach. Koh must now approve this new settlement.